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Part 1. iSeries NetServer 


iSeries Support for Windows® Network Neighborhood (iSeries NetServer) is an 
IBM® Operating System/400® (OS/400®) function that enables Windows 98, 
Windows NT®, 2000, Me, and XP clients to access OS/400 shared directory paths 
and shared output queues. Windows clients on a network utilize the file and print 
sharing functions that are included in their operating systems. You do not need to 
install any additional software on your PC to use and benefit from iSeries 
NetServer. However, if you need_to_ administer iSeries NetServer properties from 


your PC client, you must have jiSeries Access for Windows} iSeries Navigator, and 
OS/400 Host Servers — Option 12 installed. 


Linux and Samba client support 


The Linux/Samba client is also supported on iSeries NetServer. This support 
allows a Linux client running Samba to connect to iSeries NetServer through the 
smbclient and smbmount client utilities. ASCII printing (text, PDF, and postscript) 
is supported through the smbclient utility. 


The Linux requirement is a kernel version of 2.4.4 or greater and Samba 2.0.7 or 
greater. Samba is an open-source client and file server that is compatibile with 
Microsoft® Networking, which comes with many current distributions of Linux. 
For more information on Samba, Samba commands, or to download the latest 


version, see the|Samba Web site (www.samba.org) : 


For more information on using Linux/Samba to access iSeries NetServer, see the 


iSeries. NetServer Web site 


(http:/ /www.ibm.com/eserver/iseries/netserver/linux.html) 2 : 

See the following information for specific information on getting started with and 
using iSeries NetServer. 

hapter 1, “What’s new for V5R2” on page 3 

ontains information on changes and additions to iSeries NetServer for V5R2. 


AQ 


hapter 2, “Print this topic” on page 5 

ontains information on printing this topic and other related topics. 

hapter 4, “Get started” on page 11 

ontains the information you need to get iSeries NetServer up and running. 
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hapter 5, “Administer iSeries NetServer” on page 2 
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client. 


hapter 6, “iSeries NetServer file shares” on page 37 
ontains information about iSeries NetServer’s file-sharing capabilities. 


AQ 


hapter 7, “iSeries NetServer print shares” on page 41 
ontains information about iSeries NetServer’s print-sharing capabilities. 


AQ 


hapter 8, “iSeries NetServer domain logon support” on page 45 
ontains information about logging on to an iSeries NetServer domain. 


Q| Qa 


hapter 9, “iSeries NetServer security” on page 57 
Contains information about using iSeries NetServer securely. 


CQ 


hapter 10, “Use Windows-style messages with iSeries NetServer” on page 59 
Contains information about using Windows style messages on the iSeries 
server. 


hapter 11, “Tips and techniques” on page 63 
ontains information on optimizing iSeries NetServer. 


Q)}Qq1aQ 


hapter 12, “iSeries NetServer API guide” on page 65 
Contains a list of the Application Program Interfaces (APIs) available for 
administration of iSeries NetServer. 
hapter 13, “Backup and recovery of configuration and share information” on 
age 67 
Contains important information about iSeries NetServer backup and recovery. 


, 


Chapter 14, “Troubleshoot iSeries NetServer” on page 69 
Contains information on troubleshooting problems with iSeries NetServer. 
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Chapter 1. What’s new for V5R2 


Changes to iSeries NetServer support and functionality include the following: 
* iSeries NetServer now supports the following Kerberos protocol specifications:. 


— Kerberos Version 5 protocol |Request for Comment (RFC) 1510)“ . 
For more details on iSeries NetServer support for Kerberos V5 enablement, see 
“iSeries NetServer support for Kerberos v5 authentication” on page 24 


* You can now specify the subsystem in which the TCP/IP file server and iSeries 


NetServer jobs run. For more details, see|“Specify subsystems for iSeries 
NetServer” on page 29 


* iSeries NetServer now supports Windows XP. 


¢ The Linux/Samba client is now supported on iSeries NetServer. For more 
information, see |Linux and Samba client support 
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Chapter 2. Print this topic 
To view or download the PDF version, select (324 KB or 74 


pages). 


You can also view or print any of the following PDFs: 


T™ 


* Redbooks : 


The AS/400 NetServer Advantage hws (about 154 pages) describes how to 


configure and administer iSeries NetServer shares and printers and describes 
considerations for moving file and print serving from an Integrated Netfinity® 
Server using Warp Server/400 or Novell Netware to iSeries NetServer. 


To save a PDF on your workstation for viewing or printing: 

Open the PDF in your browser (click the link above). 

In the menu of your browser, click File. 

Click Save As... 

Navigate to the directory in which you would like to save the PDF. 
Click Save. 


oO Pon> 


If you need Adobe Acrobat Reader to view or print these PDFs, you can download 
a copy from the|Adobe Web site 


(www.adobe.com/prodindex/acrobat/readstep.html) 2 : 
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Chapter 3. iSeries NetServer versus iSeries Access for 
Windows 


You do not need to have iSeries Access for Windows or iSeries Navigator installed 
to use and benefit from iSeries NetServer. Although iSeries NetServer provides 

specific support for accessing integrated file system and printing resources, it does 
not provide the same range of tools and interfaces as iSeries Access for Windows . 


iSeries NetServer and iSeries Access for Windows differ in the following ways: 


iSeries NetServer 


* Does not require any proprietary software that is installed on the PC client. The 
operating system of your PC client contains all of the software that is required to 
access iSeries NetServer. iSeries NetServer does not require that you install 
additional software unless you are administering iSeries NetServer functions 
from a PC client by using iSeries Navigator. 


* You can share a directory with read-only access. 

* You can hide a share from the network by ending the share name with a §. 
* You can hide iSeries NetServer from Windows Network Neighborhood. 

* You can share individual directories. This lends to better OS/400 security. 


iSeries Access for Windows 


¢ Has additional functions not available in Windows: 5250 emulation and data 
transfer. 


For information on installing iSeries Access for Windows, see|“Install iSeries Access 
for Windows on Windows PCs using iSeries NetServer” 


Install iSeries Access for Windows on Windows PCs using iSeries 
NetServer 


You can use iSeries NetServer to easily install iSeries Access for Windows on your 
Windows client. Remember, administering iSeries NetServer from a PC client 
requires the use of iSeries Navigator, which is a subcomponent of iSeries Access for 
Windows. To install iSeries Access for Windows on your Windows client, follow 
these steps: 


For Windows 98 and NT: 
1. Open the Windows Start menu. 
2. Select Find from the Start menu and select Computer. 


3. In the Computer Name field, enter the system name of iSeries NetServer (for 
example, QSYSTEM1). 


Double-click the computer that was found in step|3} 
Open the QIBM folder. 

Open the ProdData folder. 

Open the CA400 folder. 

Open the Express folder. 

Open the Install folder. 


ON Oe 
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10. Open the Image folder. 


11. Double-click Setup.exe. The iSeries Access for Windows Install Wizard takes 
you through the process of installing iSeries Access for Windows on your PC. 


Note: Ensure that you select to have the Network option of iSeries Navigator 
installed. 


For Windows 2000 and ME: 

. Open the Windows Start menu. 

. Select Search. 

. Select For files or Folders... 

. Click the Computers link. 

In the Computer Name field, specify the server name of iSeries NetServer. 
. Click Search Now. 

. Double-click the computer that was found in step|3 on page 7] 
. Open the QIBM folder. 

. Open the ProdData folder. 

. Open the CA400 folder. 

Open the Express folder. 

. Open the Install folder. 

. Open the Image folder. 


Se ee ee ee 2 


. Double-click Setup.exe. The iSeries Access for Windows Install Wizard takes 
you through the process of installing iSeries Access for Windows on your PC. 


Note: Ensure that you select to have the Network option of iSeries Navigator 
installed. 


For Windows XP: 
1. Open the Windows Start menu. 
2. Select Search. 
3. Click Computers or People. 
4. Click A Computer in the Network. 
5. Specify the server name for iSeries NetServer in the appropriate field. 
6. Click Search. 
7. Double-click the computer that was found in step|3 on page 7] 
8. Open the QIBM folder. 
9. Open the ProdData folder. 
10. Open the CA400 folder. 
11. Open the Express folder. 
12. Open the Install folder. 
13. Open the Image folder. 


14. Double-click Setup.exe. The iSeries Access for Windows Install Wizard takes 
you through the process of installing iSeries Access for Windows on your PC. 


Note: Ensure that you select to have the Network option of iSeries Navigator 
installed. 


iSeries NetServer shares the Q1BM directory with clients in order to allow OS/400 
users who already have user profiles to install iSeries Access for Windows on their 
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PC clients. However, iSeries NetServer does not automatically configure guest 
support, and users without iSeries user profiles are not able to access integrated 
file system directories and output queues using iSeries NetServer. Only the 
network administrator can remove the file share for the QIBM directory. 


To allow guests to have access to shared resources, you must configure the iSeries 


NetServer Advanced - Next start properties with a user profile for guest or 
anonymous users. 


Chapter 3. iSeries NetServer versus iSeries Access for Windows 
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Chapter 4. Get started 


iSeries NetServer allows personal computers that run Windows or Linux software 
to seamlessly access data and printers that are managed by your iSeries server. 
Review the following information to begin using iSeries NetServer: 


nu 
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Lists the necessary requirements for using iSeries NetServer. 


“Quick start guide” on page 12 

Provides you with a fast path for getting iSeries NetServer set up if you do not 
have iSeries Navigator installed. 

“Set up your PC client to use iSeries NetServer” on page 13 

Ensures that you have properly set up your PC operating system to use iSeries 
NetServer. 

“Connect your PC client” on page 16 

Allows you to locate iSeries NetServer and use its file and print-sharing 
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“Find iSeries NetServer on the iSeries network” on page 19 
Ensures that you can access shared resources on the iSeries network. 


“Start iSeries NetServer” on page 21 


Gives you immediate access to shared resources on the iSeries network. 


Requirements 


iSeries NetServer allows personal computers that run Windows or Linux software 
to seamlessly access data and printers that are managed by your iSeries. Review 
the following list of items to ensure that you have the necessary requirements: 


To function properly on iSeries and with network clients, iSeries NetServer requires 
the following: 


* An iSeries server properly connected with Version 4 Release 2 (V4R2) OS/400 or 
later configured for a TCP/IP network. 


* A system name that does not conflict with the system name that Client Access 
for Windows NT uses. See |Server name guidelines| for more information. 
* An up and running Network Printing Server (NPS) in order to make use of 


iSeries NetServer print sharing capabilities. See the|“Quick start guide” on| 
page 12]for more information. 


* Client for Microsoft Networks network component installed on your PC client. 
Once this component and TCP/IP are installed and configured, you will have 
access to the integrated file system directories and the iSeries server output 
queues shared with the network. 


Note: If Linux clients are used, the appropriate Samba support must also be 
installed. 


* The iSeries NetServer server name and Internet Protocol (IP) address resolution 
strategy. For example, Domain Name System (DNS), Windows Internet Naming 
Service (WINS), or LMHOSTS file. 
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Quick start guide 


iSeries NetServer support does not require you to install any additional software 
on your personal computer. iSeries NetServer takes advantage of the file and print 
sharing features that come with your Windows operating system software. 
Similarly, iSeries NetServer does not require any software on the iSeries server 
other than the IBM Operating System/400 Version 4 Release 5 or later base 
operating system. Boss Option 12 (Host Servers), an optional part of the Base OS, 
needs to be installed for proper iSeries NetServer function. 


There are three requirements for setting up iSeries NetServer properly: 


* You must configure your personal computer and the iSeries server with 
Transmission Control Protocol/Internet Protocol (TCP/IP). 


* You must configure the file sharing protocol, Client for Microsoft Windows 
Network, on your PC client. 


* You must know the server name of the iSeries NetServer and your Internet 
Protocol (IP) address resolution strategy. 


Configure your iSeries server to use iSeries NetServer 


These instructions assume that you do not have access to iSeries Navigator 
support. Whenever possible, you should use iSeries Navigator. You must have 
*IOSYSCFG special authority to change any part of iSeries NetServer configuration. 
In addition, you must have *SECADM special authority to change the iSeries 
NetServer guest user profile. These changes will take effect the next time iSeries 
NetServer is started. 


1. Verify that TCP/IP support is configured on your iSeries. You must have at 
least one external TCP/IP interface configured and active to use iSeries 
NetServer. 


* Use the Configure TCP/IP (CFGTCP) command to check or change 
interfaces, routes, setup host table, and domain name services. Once the 
configuration is complete, use the Start TCP/IP (STRTCP) command to 
activate the support. 


2. Use the Work with Subsystems (WRKSBS) command to confirm that the 
QSERVER subsystem has started. 


3. Verify that the iSeries NetServer server name is unique on the network. To 
change the iSeries NetServer default server and domain name, use the 
following command: 


CALL QZLSCHSN PARM (server-name domain-name 
‘text description or comment' X'00000000') 


Once you change the iSeries NetServer server name, you should add it to the 
Domain Name System (DNS) or your PC client’s LMHOST file. 

4. Users who require the file and print-sharing capabilities of iSeries NetServer, 
but do not have an iSeries user profile need a guest user profile. iSeries 
NetServer does not automatically configure guest support; users without iSeries 
user profiles will not be able to access iSeries NetServer. 


Note: For iSeries NetServer print support, the Guest User Profile must have a 
password. 

To change iSeries NetServer guest support, use the following command: 

CALL QZLSCHSG (guest-user-profile X'00000000') 


5. To stop and start iSeries NetServer, use the following commands: 
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STRTCPSVR *NETSVR 
ENDTCPSVR *NETSVR 


All configuration changes made to iSeries NetServer, with the exception of 
share and session administration, do not take effect until you stop and restart 
the iSeries server. 

6. Use the Work with Active Job (WRKACTJOB) command to verify that there is a 
QZLSSERVER job running under the QSERVER subsystem. If the QZLSSERVER 
job is not active, you must restart iSeries NetServer. 

7. Use the Work with TCP/IP Network Status (NETSTAT *CNN) command to 
verify that the following entries appear in the NETSTAT output file. If you 
cannot find these entries, then you must restart iSeries NetServer. 

** netbios>001:27:44 Listen 

* netbios>000:00:01 *UDP 

* netbios>000:00:00 *UDP 

** netbios>000:30:57 Listen 

** Cifs>427:49:42 Listen 


* 


* 


Note: The NETSTAT command output may be many pages long. 


8. Use the Work with Active Job (WRKACTJOB) command to ensure that there is 
a QNPSERVD job active in the QSYSWRK subsystem. If there is no QNPSERVD 
job, then you must use the Start Host Server (STRHOSTSVR *NETPRT) 
command to start the Network Print Server (NPS). Starting the NPS ensures 
that iSeries NetServer print shares function properly. 


Set up your PC client to use iSeries NetServer 


Configuring your PC client for use with iSeries NetServer ensures that you have 
properly set up your PC operating system to use iSeries NetServer shared 
resources. Configuring your PC operating system properly ensures that all 
supported PC clients can locate iSeries NetServer and use file and print shares.. For 
information on setting up a Linux/Samba client to_use iSeries NetServer, see the 


iSeries NetServer Web site, for the information on|Linux/Samba client support 


(http:/ /www.ibm.com/eserver/iseries/netserver/linux.html) ™ . 
Set up a Windows PC client to find iSeries NetServer 


iSeries NetServer supports the following Windows clients: Windows 98; Windows 
NT 4.0; Windows NT Server, Terminal Server Edition; Windows 2000; Windows 
Millenium Edition (ME); and Windows XP. 


Setting up a Windows PC client to find iSeries NetServer allows you to easily 
access shared resources from your Windows PC client. 


You must first ensure that clients can locate iSeries NetServer on the network. If 
this is not the case, network PC clients can use the Domain Name System (DNS), 
Windows Internet Naming Service (WINS), or a LMHOSTS file to locate iSeries 
NetServer. 


Note: If iSeries NetServer and your Windows client are in the same workgroup 
(domain) and in the same subnet (network segment), then no additional 
setup on the client is necessary. Also no additional setup may be neccessary 
if iSeries NetServer is to be found by IP address only. 
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If you are using DNS, you must also configure your client to use DNS. To 
configure your client for use with DNS, follow these steps: 


For Windows 98 or Me: 


BO OLE ONS 


8. 


Open the Windows Start Menu. 

Select Settings and then select Control Panel. 
Double-click Network. 

Select TCP/IP and click Properties. 

Select the DNS Configuration tab. 

Select the Enable DNS option. 


Enter the host name, domain, DNS service search order, and domain suffix 
search order for DNS. 


Click OK. 


For Windows NT: 


ONOAaAa PON > 


9. 


Open the Windows Start Menu. 

Select Settings and then select Control Panel. 
Double-click Network. 

Select the Protocols tab. 

Select TCP/IP and click Properties. 

Select the DNS Configuration tab. 

Select the Enable DNS option. 


Enter the host name, domain, DNS service search order, and domain suffix 
search order for DNS. 


Click OK. 


For Windows 2000: 


— 
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Open the Windows Start Menu. 

Select Settings and then select Control Panel. 
Double-click Network and Dialup Connections. 
Select the Protocols tab. 

Select Local Area Connection. 

Click Properties... 

Select Internet Protocol (TCP/IP) and click Properties. 
Click Advanced. 

Click the DNS tab. 


Specify the host name, domain, DNS service search order, and domain suffix 
search order for DNS. 


Click OK. 


For Windows XP: 


a oe 


Click the Start button to open the Start menu. 
Select Control Panel. 

Click Network and Internet Connections. 
Click Network Connections. 


Select the appropriate connection and click Change settings of this 
connection task. 
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1. 


Select Internet Protocol (TCP/IP). 
Click Properties. 

Click Advanced. 

Select the DNS tab. 


Specify the host name, domain, DNS service search order, and domain suffix 
search order for DNS. 


Click OK. 


If you are using WINS, then you must|configure iSeries NetServer with the 
fldress of the network WINS server 


ddress of the network WINS server| You then need to configure your client with 
the iSeries NetServer IP address or the WINS server IP address. To configure your 
client for use with WINS, follow these steps: 


For Windows 98 or Me: 


Noo } ON = 


8. 


Open the Windows Start Menu. 

Select Settings and then select Control Panel. 
Double-click Network. 

Select TCP/IP and click Properties. 

Select the WINS Configuration tab. 

Select the Enable WINS option. 


Specify the primary and secondary WINS server IP addresses and the scope ID, 
if a scope ID is being used in the network. 


Click OK. 


For Windows NT: 


CO ONoOa kan > 


Open the Windows Start Menu. 

Select Settings and then select Control Panel. 

Double-click Network. 

Select the Protocols tab. 

Select TCP/IP and click Properties. 

Select the WINS Configuration tab. 

Select the Enable WINS option. 

Specify the WINS server IP addresses in the proper search order. 
Click OK. 


For Windows 2000: 


— ot 


ils 


reo O8 DPNOn RF wD 


Open the Windows Start Menu. 

Select Settings and then select Control Panel. 
Double-click Network and Dialup Connections. 
Select the Protocols tab. 

Select Local Area Connection. 

Click Properties... 

Select Internet Protocol (TCP/IP) and click Properties. 
Click Advanced. 

Click the WINS tab. 

Specify the WINS server IP addresses in the proper search order. 
Click OK. 
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For Windows XP: 
1. Click the Start button to open the Start menu. 
2. Select Control Panel. 
3. Click Network and Internet Connections. 
4. Click Network Connections. 


5. Select the appropriate connection and click Change settings of this 
connection task. 


Select Internet Protocol (TCP/IP). 

Click Properties. 

Click Advanced. 

Select the WINS tab. 

Specify the WINS server IP addresses in the proper search order. 
Click OK. 


*- SO ODN ® 


1 
1 
If you are using the LMHOSTS file, then you must configure LMHOSTS with the 


system name and IP address for iSeries NetServer to ensure client connectivity. To 
add a preloaded entry to the LMHOSTS file, follow these steps: 


1. Go to the\Windows directory for a Windows 98 or ME client, or the 
\WINNT\system32\drivers\etc directory for a Windows NT, 2000, or XP clients. 


2. Add the following entry to the LMHOSTS file: 
TCP/IP-address iSeries-NetServer-server-name #PRE 


For example: 
10.5.10.1 QNETSERVER #PRE 


If the iSeries NetServer is a Logon Server: 


10.5.10.1 QNETSERVER #PRE #DOM:netdomain (netdomain is the domain name that 
the Logon Server 
services). 


Connect your PC client 


Configuring a PC client connection to iSeries NetServer ensures that network 
clients can locate iSeries NetServer and use file and print shares. 


Keep in mind that TCP/IP configuration does not require any changes to support 
iSeries NetServer. However, any PC client that uses iSeries NetServer must be 
configured with the following items: 


* File and print clients specific to the operating system of your PC client. See your 
operating system documentation for more information on file and print clients. 


* An iSeries server that is placed in the same workgroup (domain) and the same 
subnet (network segment) as the PC client that uses iSeries NetServer UDP 
broadcasts. See|“iSeries NetServer UDP broadcasts” on page 17|for more details. 

* The address of a DNS server if you_are using DNS to locate and_connect to 
iSeries NetServer. See|“iSeries NetServer and Domain Name System (DNS) 
management” on page 17|for more details. 

* The Windows Internet Naming Service (WINS) configuration information if you 


are using a network WINS server to locate and connect to iSeries NetServer. See 
“iSeries NetServer and Windows Internet Naming Service (WINS) management” 
on page 17|for more details. 
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e LMHOSTS entries for iSeries NetServer if you are using LMHOSTS files to locate 
and connect to iSeries NetServer. See |“PC client LMHOSTS static configuration 
files” on page 19) for more details. 

iSeries NetServer UDP broadcasts 


In many TCP/IP networks, various routers in the network filter out User 
Datagram Protocol (UDP) broadcast frames. A client on one side of a router cannot 
find iSeries NetServer because the UDP broadcast cannot cross the router. 


Smaller networks that are set up to filter UDP broadcasts should consider using 
other mechanisms for locating the server. The following methods are alternatives to 
using the default iSeries NetServer UDP broadcast: 


* Make an entry for iSeries NetServer in the network Domain Name System 
(DNS) database. Using DNS is the easiest way to locate and connect to iSeries 
NetServer. 


* Configure the Windows Internet Naming Service (WINS) for use with iSeries 
NetServer. 


* Create entries for iSeries NetServer in PC client static configuration files (such as 
LMHOSTS). 


Note: It is easiest to manage iSeries NetServer and PC clients if you place all of 
them in the same workgroup and the same subnet. If this is how you 
configured your network, then iSeries NetServer appears in the Windows 98 
or Windows NT Network Neighborhood, or in Windows 2000, Windows 
ME, and Windows XP My Network Places without any additional 
configuration. 


iSeries NetServer and Domain Name System (DNS) 
management 


TCP/IP networks can use the Domain Name System (DNS) to map server system 
names to IP addresses. In a DNS network, an entry tells clients in the network how 
to map the name of the server to its proper TCP/IP address. 


No DNS entry exists for iSeries NetServer regardless of whether you use the 
default system name for iSeries NetServer or specify a new system name. If you 
want PC clients to access iSeries NetServer by using DNS, then you must add the 
iSeries NetServer server name and IP address to the DNS database on iSeries. 
Using DNS is generally the easiest way for clients to access iSeries NetServer on a 
distributed network. 


To add a new DNS database entry for iSeries NetServer on the network, you must 
specify the server name for iSeries NetServer. 


Configuring DNS entries for both the iSeries server and iSeries NetServer allows 
PC clients to address iSeries Access for Windows as SYSTEM1 while addressing 
iSeries NetServer as QSYSTEM1, even though both use the same IP address. This step 
avoids any potential conflicts in the client operating system. 


iSeries NetServer and Windows Internet Naming Service 
(WINS) management 


Windows NT servers and Linux Samba server can provide the Windows Internet 
Naming Service (WINS), which allows clients to map server system names to their 
actual TCP/IP addresses. WINS is a dynamic naming service that resolves 
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NetBIOS computer names to IP addresses. Although the iSeries server cannot act 
as a WINS server, it can act as a WINS proxy. This enables non-WINS clients to 
obtain name resolution from WINS. A WINS proxy receives broadcasted name 
requests from non-WINS clients and resolves them by directing queries to a WINS 
server. 


Note: Using WINS Proxy is not a recommended method of resolving computer 
names to IP addresses. 


You can specify an address for a network WINS server on the iSeries NetServer 
WINS configuration - Next start dialog in iSeries Navigator. You can then 
configure clients to connect to iSeries NetServer by using the WINS server. 


Once you configure your PC clients and iSeries NetServer with WINS addresses, 
you do not need to perform any additional network configuration. PC clients can 
now locate and connect to iSeries NetServer by using WINS. 


Note: In a complex TCP/IP network, where the iSeries NetServer is configured as 
a Logon Server, a WINS solution for address resolution is better than DNS 
because logon clients in separate subnets need to be able to resolve special 
NetBIOS service names in addition to the configured iSeries NetServer 
name. 


Configure iSeries NetServer with the address of the network 
WINS server 

You can configure iSeries NetServer with the address of the network Windows 
Internet Naming Service (WINS) server by using iSeries Navigator. WINS allows 
PC clients to connect to and access iSeries NetServer shared resources. 


To configure iSeries NetServer with the address of the network WINS server, 
follow these steps: 


1. Open a connection to iSeries Navigator on your iSeries server. 
Expand Network. 

Expand Servers. 

Click TCP/IP. 

Right-click iSeries NetServer and select Properties. 

Select the WINS Configuration tab. 

Click Next start. 


In the Primary WINS server field, enter the IP address of the network WINS 
server. iSeries NetServer uses this WINS server for client connections the next 
time that you start iSeries NetServer. 
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9. In the Secondary WINS server field, enter the IP address of the secondary 
network WINS server. iSeries NetServer uses this secondary WINS server for 
client connections the next time that you start iSeries NetServer. 


10. In the Scope ID field, enter a text string to serve as the network scope for the 
WINS server. The WINS server uses this scope ID the next time that you start 
iSeries NetServer. 


Note: You must configure any PC clients that use iSeries NetServer with the 
same scope ID that you specify here. WINS also functions properly if 
you leave this entry for scope ID blank on both iSeries NetServer and 
any clients. 
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11. Specify if you would like to enable or disable the iSeries NetServer to act as a 
WINS proxy. 


12. Click OK to save your changes. 


PC client LMHOSTS static configuration files 


PC client operating systems can provide static configuration files that map server 
system names to TCP/IP addresses. These files are typically more difficult to 
manage than a solution that involves more centralized control (for example, a DNS 
or WINS server). This difficulty results because your network administrator must 
configure each PC client individually. Static configuration files are very useful, 
however, in large, distributed networks. In this environment, clients and servers 
exist in different subnets (network segments) and possibly different workgroups 
(domains). Static configuration files help clients locate servers. 


All PC clients supported by iSeries NetServer provide the LMHOSTS file that can 
map server system names to IP addresses. The LMHOSTS file contains IP addresses 
and server system names. You can use these files to map the IP address for both 
the iSeries server and iSeries NetServer for clients. Mapping the IP address for 
both iSeries and iSeries NetServer allows clients to find the iSeries server and 
iSeries NetServer in a large, distributed network environment. 


You may also add an entry into the LMHOSTS file that points to a LMHOSTS file that is 
administered centrally on the iSeries server. By pointing all clients to the central 
file on the iSeries server, you need to maintain only one LMHOSTS file for the 
network. 


You can find more information about LMHOSTS files in the sample LMHOSTS file that 
is provided with your Windows operating system. Additional information is 
available in your operating system documentation. 


Find iSeries NetServer on the iSeries network 


Finding iSeries NetServer on the iSeries network with your PC client allows you to 
access shared resources on the network. This also ensures that your connection 


method to iSeries NetServer is up and running. For information on finding iSeries 
NetServer on the network using Linux/Samba clients, see the |Linux/Samba client 
information on the iSeries NetServer Web site 

(http:/ /www.ibm.com/eserver/iseries/netserver/linux.html) 2 : 


Find iSeries NetServer from the Windows client 


You can use the Windows client to find iSeries NetServer. This allows you to access 
shared resources from your Windows client. 


If iSeries NetServer and your client are in the same workgroup (domain) and in 
the same subnet (network segment), follow these steps to find iSeries NetServer: 


For Windows 98, NT, and Me: 
1. Open Windows Network Neighborhood. 
2. Select the system name of iSeries NetServer on the iSeries server). 


For Windows 2000 and XP: 
1. Open My Network Places. 
2. Double-click Computers Near Me. 
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3. Select the system name of iSeries NetServer on the iSeries server). 


If the PC client and iSeries NetServer are not in the same workgroup/domain, 
follow these steps to find iSeries NetServer: 


For Windows 98 and Me: 

1. Open Windows Network Neighborhood. 

2. Open Entire Network. 

3. Open the domain that iSeries NetServer is in. 

4. Select the system name of iSeries NetServer on the iSeries server). 


For Windows 2000: 

Open My Network Places. 

Double-click Entire Contents. 

Click Show Entire Contents. 

Double-click Microsoft Windows Network. 

Open the domain in which iSeries NetServer is located. 


oa ON = 


Select the system name of iSeries NetServer on the iSeries server. 


For Windows XP: 

Open Windows Explorer. 

Expand My Network Places. 

Expand Entire Network. 

Expand Microsoft Windows Network. 

Expand the domain or workgroup in which iSeries NetServer is located. 
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Select the system name of iSeries NetServer on the iSeries server. 
Tips: 


You can also use Find Computer on Windows to locate iSeries NetServer on your 
network by following these steps: 


For Windows 98 and NT 
1. Open the Windows Start menu. 
2. Select Find and then Computer. 


3. In the Find Computer dialog, specify the server name for iSeries NetServer on 
the iSeries server. 


4. Click OK. 


For Windows 2000 and Me: 

Open the Windows Start menu. 

Select Search. 

Select For files or Folders... 

Click the Computers link. 

In the Computer Name field, specify the server name of iSeries NetServer. 
Click Search Now. 
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For Windows XP: 
1. Open the Windows Start menu. 
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Select Search. 

Click Computers or People. 

Click A Computer in the Network. 

Specify the server name for iSeries NetServer in the appropriate field. 
Click Search. 
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Windows clients support the addressing of servers by using both fully qualified 
names as well as Internet Protocol (IP) addresses. The use of fully qualified names 
and IP addresses allows Windows clients to access data on iSeries NetServer in the 
absence of other naming mechanisms. 


You can use any of the following valid forms when addressing an iSeries server or 
iSeries NetServer with a Windows client. For example, you could use any of these 
forms with the Find Computer dialog. 


* qsysteml.mysite.com 

°¢ systeml.mysite.com 

° 1.2.34.123 

These forms also work from a Disk Operating System (DOS) window, as in the 
following examples: 

¢ dir \\qsysteml.mysite.com\qca400\*.* 

¢ del \\systeml.mysite.com\jim.doc 

¢ type \\1.2.34.567\scott.txt 


See |“Troubleshoot iSeries NetServer location on the network” on page 73|if you 


have trouble finding iSeries NetServer on the network. 


Start iSeries NetServer 


Starting iSeries NetServer allows you to immediately begin sharing data and 
printers with your PC clients. iSeries NetServer starts automatically when TCP/IP 
is started. If you ever need to restart iSeries NetServer, then follow these steps: 


1. Open a connection to iSeries Navigator on your iSeries server. 
2. Expand Network. 

3. Expand Servers. 

Click TCP/IP. 

5. Right-click iSeries NetServer and select Start. 


> 


A faster method of starting iSeries NetServer using iSeries Access for Windows is: 


1. Open a connection to iSeries Navigator on your iSeries server. 
2. Expand File System. 

3. Right-click File Shares and select Open iSeries NetServer. 

4. Right-click iSeries NetServer and select Start. 


If you do not have iSeries Navigator installed, use the following command to start 
iSeries NetServer: 


¢ For V4R4 and later: 
STRTCPSVR *NETSVR 
¢ For V4R2 and V4R3: 
CALL PGM(QZLSSTRS) PARM('O' X'Q0000000') 
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Chapter 5. Administer iSeries NetServer 


Administering iSeries NetServer allows you to manage file and print shares and 
control other iSeries NetServer functions. The iSeries Navigator subcomponent of 
iSeries Access for Windows provides the administration interface for iSeries 
NetServer. By default, iSeries NetServer shares the iSeries Access for Windows 
install directory with the network. 


You can |install iSeries Access for Windows|by accessing the default iSeries 


NetServer file share, QIBM. 
Once you have installed iSeries Access for Windows and iSeries Navigator, you are 
ready to administer iSeries NetServer. Review the following topics for the 


information you need to effectively manage iSeries NetServer: 


iSeries NetServer 


“View and configure iSeries NetServer properties” on page 2 
Lists the steps you must take to configure iSeries NetServer properties. 


“iSeries NetServer support for Kerberos v5 authentication” on page 2 
Describes the steps you must take to enable iSeries NetServer support for 
Kerberos authentication. 


“Change the server name of iSeries NetServer” on page 2 
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and specifies what steps you must take to do so. 


“Disabled user profiles” on page 28 
Describes the conditions that cause the disabling and re-enabling of iSeries user 
profiles. 


; 


“Stop iSeries NetServer” on page 2 
Lists the steps you must take to end all sharing of iSeries resources with iSeries 
NetServer. 


“Specify subsystems for iSeries NetServer” on page 29 
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Describes how to define what level of authority a guest user profile has to 
iSeries NetServer. 
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1 
Lists the steps you must take to view the current status of iSeries NetServer. 
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iSeries NetServer shared objects 


“View a list of iSeries NetServer shared objects” on page 31 
Defines shared object and describes how to view a list of all shared objects 
iSeries NetServer is currently sharing. 


“View and configure iSeries NetServer shared object properties” on page 32 
Lists the steps you must take to configure iSeries NetServer shared. object 
properties. 


“View shared object status” on page 33 
Lists the steps you must take to view the current statistics for a shared object 
connection to iSeries NetServer. 


iSeries NetServer sessions 
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“View a list of iSeries NetServer sessions” on page 33 


Defines session and describes how to view a list of active iSeries NetServer 
sessions. 


“View iSeries NetServer session properties” on page 33 


Lists the steps you must take to view iSeries NetServer session properties. 


“View iSeries NetServer session connection status” on page 34 


Lists the steps you must take to view the current statistics for a workstation 
connection to iSeries NetServer. 


“Stop an iSeries NetServer session” on page 34 


Lists the steps you must take to stop a client’s use of file and print shares on a 
specific session. 


View and configure iSeries NetServer properties 


You can access the server attributes for iSeries NetServer through iSeries Navigator, 
which allows you to view and configure iSeries NetServer properties. 


To display iSeries NetServer properties using iSeries Navigator, follow these steps: 
1. Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to display a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Properties. 
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The iSeries Navigator online help provides detailed information about each of the 
iSeries NetServer dialogs. 


iSeries NetServer support for Kerberos v5 authentication 


iSeries NetServer now supports using Kerberos Version 5 (v5) for user 
authentication. In order to enable iSeries NetServer support for Kerberos v5 


authentication, you must first have the |“iSeries Navigator Security option” on 
Network authentication service} and |Enterprise Identity Mapping (EIM) 


configured on the iSeries server. You must also have |Cryptographic Access 
Provider (5722-AC2 or AC3)} installed on the server. 

iSeries NetServer clients must use Kerberos to authenticate with the server if you 
enable support for Kerberos v5. Therefore, only clients that support Kerberos v5 


can connect to iSeries NetServer once this support is enabled. The following 
Windows clients do not support Kerberos v5: 


¢ Windows 95 
¢ Windows 98 
¢ Window NT 
¢ Windows Me 


Enable support for Kerberos v5 authentication 

You are strongly encouraged to use the iSeries NetServer configuration wizard to 
enable support for Kerberos v5. The configuration wizard_helps you configure the 
necessary services required for use with Kerberos v5. See| "iSeries NetServer 
foatigurtion wizard’ oh page | for instructions on how to launch the iSeries 
NetServer configuration wizard. 
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You may enable iSeries NetServer support for Kerberos v5 authentication throug 
iSeries NetServer 


configuration requirements for Kerberos v5 authentication enablement” 


properties. However, you must also complete the |“ Additional 


If you fail to complete all of the configuration requirements, you will be unable 
to use iSeries NetServer once you restart the server. 


1. 


5. 


In iSeries Navigator, expand Network> Servers> TCP/IP. 


2. Right-click iSeries NetServer and select Properties. 
3. 
4. On the General Next Start dialog, select Kerberos v5 for Authentication 


Click the Next Start button. 


method. 
Click OK. 


iSeries Navigator Security option 


To install Security, follow these steps: 


i 
2. 


3. 


Click Start> Programs> IBM iSeries Access for Windows> Selective Setup. 


Follow the instructions on the screen. On the Component Selection dialog, 
expand iSeries Navigator, then click to place a check mark next to Security. 


Continue through the rest of Selective Setup. 


iSeries NetServer configuration wizard 


Additional configuration is required in order to use Kerberos v5 with iSeries 
NetServer. The configuration wizard will help you through the additional 
configuration requirements for using Kerberos v5 with iSeries NetServer. 


To launch the iSeries NetServer configuration wizard, follow these steps: 


1. 
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Open iSeries Navigator and connect to the system you want to work with. 
Expand Network> Servers. 

Click TCP/IP to display a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Configuration. 


Follow the instructions to complete the iSeries NetServer configuration wizard. 


Additional configuration requirements for Kerberos v5 
authentication enablement 


You must complete all of the following steps prior to restarting the iSeries server. 


1. 


The|Enterprise Identity Mapping (EIM)] and 


must be configured on the server in order to use Kerberos v5 authentication. If 
you currently have EIM and Network authentication services configured, 


skip this step and proceed to 


Note: The EIM configuration wizard gives you the option to configure 
Network authentication service, if it is not currently configured on your 
server. In this event, you must select to configure the Network 
authentication service, as it is a required service in order to use Kerberos 
v5 authentication with iSeries NetServer. 


To configure EIM and Network authentication services complete the following 
steps: 
a. Open iSeries Navigator and connect to the system you want to work with. 
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b. Expand Network. 
c. Right-click Enterprise Identity Mapping and select Configure. 


d. Follow the instructions in the EIM configuration wizard. 


Note: If Network authentication services is not currently configured on the 
iSeries server, you will be prompted to configure this service during the 
EIM configuration wizard. You must ensure that you select to add the 
iSeries NetServer service principals when configuring Network 
authentication services. 


. With Network authentication service currently configured on your server, you 


must manually add the service principal names to the keytab. 
a. For Windows 2000 clients: 


HOST/<fully qualified name>@<REALM> 
HOST/<qname>@<REALM> 
HOST/<IP Address>@<REALM> 


b. For Windows XP clients: 


cifs/<fully qualified name>@<REALM> 
cifs /<qname>@<REALM> 
cifs/<IP Address>@<REALM> 


Keytab entries may be added using the Kerberos Key Tab (QKRBKEYTAB) 
command. On a command line, use the following command string: CALL 
PGM(QKRBKEYTAB) PARM('add' 'HOST/qname where qname is the fully qualified 
name or the IP address. 


. Additional setup is also required on the Windows 2000 or Windows XP domain 


controller that the iSeries NetServer clients use as the Key Distribution Center 
(KDC) 

. Complete the following steps to configure an iSeries NetServer service 
principal on the Windows KDC: 


a. Install the Support Tools from your Windows server CD. 


Note: Instructions for installing the Support Tools can be found in the 
Microsoft KB article Q301423 
(http: / /support.microsoft.com/support/kb /articles /Q301/4/23.ASP). 
b. Create a new user in the Active Directory. 


c. From a command prompt, use the ktpass.exe support tool to map a service 
principal to the newly created user. The password used for ktpass should 
match the password used to create the service principal on the iSeries 
system. Substituting your own parameters for the items in < >, use the 
appropriate command call as follows. 

For Windows 2000 clients: 

ktpass -princ HOST/<iSeriesNetServerName@REALM> -mapuser <new user> 
-pass <password> 

For Windows XP clients: 

ktpass -princ cifs/<iSeriesNetServerName>@REALM> -mapuser <new user> 
-pass <password> 


Note: Only one principal can be mapped to a user. If both HOST/* and 
cifs/* principals are needed, each must be mapped to a separate 
Active Directory user. 
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d. Repeat steps |3b on page 26jand [3c on page 26]if you want to access iSeries 


NetServer using additional principal names. 


Change the server name of iSeries NetServer 


The iSeries NetServer server name is the name you use to install the iSeries Access 
for Windows and to access your iSeries NetServer over the network and the 
Internet. Under most circumstances, you do not need to change the server name 
that iSeries NetServer uses on iSeries. Even though you can connect to iSeries 
NetServer by using any server name you choose, you should not change the server 
name from its default. The name should be the same as your iSeries system name 
but prefixed with a Q (for example, QiSeries if the system_name is iSeries). If, 
however, you must change the server name, review the erence ee 
doing so. You can view the iSeries system name in the iSeries network attributes 
by using the Display Network Attributes (DSPNETA) CL command. 


Note: You must have *IOSYSCFG authority to change the iSeries NetServer 
configuration. The change to the server name does not take effect until the 
next time that iSeries NetServer is started. 


To change the iSeries NetServer server name by using iSeries Navigator, follow 
these steps: 


Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Properties. 
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On the General page, click Next Start. In the Server name field, specify the 
name that iSeries NetServer should use. 


Server name guidelines 


The default name configured for iSeries NetServer is typically not the same as the 
TCP/IP system name. This is done in order to avoid conflicts with older versions 
of Client Access (pre-V4R4) that look for the system name. However, you are 
encouraged to have the iSeries NetServer name configured to be the same as the 
system name when possible. 


Therefore, if you are using iSeries NetServer for the first time or if you have 
changed the TCP/IP name of your system, you should also change the iSeries 
NetServer name to match the system name when the following are true: 


* No Windows clients in the network are currently using Client Access for 
Windows 95/NT (pre-V4R4). 


* No users currently have network drives or printers mapped to iSeries NetServer 
shares. 


If you have not completed the migration to iSeries Access for Windows for all 
Windows PCs on your network from a pre-V4R4 version of Client Access, you 
should keep the iSeries NetServer name different from the system name to avoid 
inconsistent results for the clients. 


If users in your network currently have network drives or printers mapped to 
iSeries NetServer shares, you should disconnect these mappings before changing 


the iSeries NetServer name. Otherwise, these mappings fail when automatically 
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trying to reconnect using the older name. You should also update any DOS scripts 
on the clients that refer to the older iSeries NetServer name. 


To avoid making all of these updates simultaneously, you can select the Allow 
iSeries NetServer access using iSeries name on the iSeries NetServer option on 
the General Next Start Properties dialog before you change the iSeries NetServer 
name. The next time iSeries NetServer is stopped and restarted, both names will be 
recognized. The new system name can be used when configuring new Windows 
clients while the existing clients continue to use (map to) the previous name. 


Disabled user profiles 


iSeries NetServer uses iSeries user profiles and passwords to allow network 
administrators to control how users can access data. In addition, an iSeries system 
value named QMAXSIGN specifies how many unauthorized sign-on attempts disable 
the user profile. 


A user profile becomes disabled when the user tries to access iSeries NetServer a 
specified number of times with an incorrect password. A user profile cannot 
become completely disabled when connecting to an iSeries with iSeries NetServer. 
If a user exceeds the maximum number of sign-on attempts the user profile 
becomes disabled for only iSeries NetServer use. Other types of access, such as a 
system sign-on, are not prevented. 


iSeries NetServer uses the last-changed date on iSeries user profiles to determine if 
they have changed since becoming disabled. If the last-changed date is newer than 
the date of becoming disabled, then the user profile becomes enabled again for use 
with iSeries NetServer. 


Notes: 


1. The QSYSOPR message queue displays the CPIB682 error message that 
indicates when an iSeries user profile was disabled for use with iSeries 
NetServer. 

2. Some clients will retry a name and password several times without the user 
being aware of it. For example, if the user’s desktop password does not match 
the iSeries user profile password, the client may retry to access the iSeries 
NetServer several times before displaying the Network Password popup 
window. When the correct password is supplied, the user profile may already 
be disabled for iSeries NetServer use on the iSeries. If you encounter this 
situation, the Maximum sign-on attempts allowed system value, QMAXSIGN, 
could be increased to accommodate multiple client authentication attempts. To 
do this, use the Work with System Values command: WRKSYSVAL (SYSVAL). 


Display disabled user profiles 


To display the disabled iSeries NetServer users using iSeries Navigator, follow 
these steps: 


In iSeries Navigator, connect to an iSeries server. 
Expand Network. 

Expand Servers. 

Click TCP/IP to view list of TCP/IP servers available. 
Right-click iSeries NetServer and select Open. 

Click on File in the upper left-hand corner. 

On the pull-down select Disabled User IDs. 
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Enable a disabled user profile 


You can re-enable a user profile that has become disabled. You need *IOSYSCFG 
and *SECADM authority to use iSeries Navigator to enable a disabled iSeries 
NetServer user. 


There are three ways that you can enable a user profile that has been disabled. 
* Use iSeries Navigator: 
1. In iSeries Navigator, connect to an iSeries server. 
Expand Network. 
Expand Server. 
Click TCP/IP to view list of TCP/IP servers available. 
Right-click iSeries NetServer and select Open. 
Click on File in upper left-hand corner. 
On the pull-down menu, select Disabled User IDs. 
. Click a disabled user ID and select Enable User ID. 


* Change the user profile. Executing the following command re-enables the user 
profile. You may exit the Change User Profile screen without making any 
changes to the properties for the user profile. 


CHGUSRPRF USRPRF (USERNAME) 
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where USERNAME is the name of the user profile you want to re-enable. 
* Stop and then restart iSeries NetServer. 


Stop iSeries NetServer 


Stopping iSeries NetServer allows you to end all sharing of iSeries resources with 
iSeries NetServer. Stopping and then restarting iSeries NetServer also allows you to 
change iSeries NetServer configuration. 


To stop iSeries NetServer, follow these steps: 

1. Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Stop. 
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Specify subsystems for iSeries NetServer 


Beginning with V5R2, you can control the subsystems in which user jobs are run. 
For example, you can now create separate subsystems for users or groups of users. 


The QSERVER subsystem is still shipped with the same default pre-start job 
entries. If a client attempts to use a subsystem that does not have pre-start job 
entries defined, the server then runs in the QSERVER subsystem using 
batch-immediate jobs. If this occurs, the jobs maintain the same name, but may 
have a job type of BCI (batch-immediate) instead of PJ (pre-start) when viewed on 
the Work With Active Jobs (WRKACTJOB) display. 


System performance 
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The ENDTCPSVR command and the QZLSENDS API also take longer to complete 
when ending iSeries NetServer. These commands take more time to process 
because all of the jobs associated with the server must be ended when the daemon 
job is ended. 


The connect time may also be slightly longer when batch-immediate jobs are used. 
Add prestart jobs to a subsystem description 


When you configure clients to run jobs in a different subsystem than QSERVER, 
you must also add the necessary pre-start jobs to the subsystem description. For 
example, to add pre-start jobs for QZLSFILE in another subsystem, you would use 
the following command string (inserting your own subsystem name): ADDPJE 
SBSD(SubsystemName) PGM(QSYS/QZLSFILE) USER(QUSER) STRJOBS(*YES) INLJOBS (1) 
THRESHOLD(1) ADLJOBS(5) JOB(*PGM) JOBD(*USRPRF) MAXUSE(200) WAIT(*YES) 
POOLID(1) CLS(QSYS/QPWFSERVER *CALC *NONE *CALC). 


This command starts 1 prestart job in the subsystem that you configured. This job 
is used when a new connection is established to iSeries NetServer. When the 
number of pre-start jobs drops below 1, five more pre-start jobs are started in order 
to be used by future connections. 


Specify subsystems 


To specify the subsystems that iSeries NetServer server jobs run in, follow these 
steps: 


In iSeries Navigator, expand Network> Servers. 

Click TCP/IP. 

Right-click iSeries NetServer and select Properties. 

Click the Subsystems tab. 

Specify the subsystem settings that you want to use. 

Use the Help button to find information on individual fields. 
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Click OK when you are finished. 


Set the guest user profile for iSeries NetServer 


A guest user profile provides a base level of access for clients who do not have a 
valid iSeries user profile. You can set the user profile that iSeries NetServer uses 
for guest users through iSeries Navigator. You can also specify what level of 
authority guests will have to iSeries shared resources using iSeries NetServer. You 
need *IOSYSCFG and *SECADM to change the guest user profile information. The 
change to guest user profile does not take place until the next time that iSeries 
NetServer is started. 


To set the guest user profile for iSeries NetServer, follow these steps: 

Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Properties. 

Go to the Advanced dialog and click Next Start. 
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7. In the Guest User Profile field, enter the user profile that you want guests to 
have when using iSeries NetServer. 


Note: If you leave this field blank, then unknown users do not have access to 
iSeries resources through iSeries NetServer. In addition, the guest user 
profile that you specify cannot have any special authorities. Guests 
should have little or no authority on iSeries. 


If you have concerns about the security risks a guest user profile may pose to your 
system, see|“iSeries NetServer guest user profiles” on page 58] for more 


information. 


View iSeries NetServer status 


You can access the current status of iSeries NetServer through iSeries Navigator. 
The iSeries NetServer status dialog contains important statistical information that 
will help you to effectively administer iSeries NetServer. You can refresh the 
current statistics for the server, reset all values to 0, or set the time between refresh 
requests from the iSeries NetServer Status dialog. 


When you set the time, in minutes, between refresh requests to the host for iSeries 
NetServer status, the timed refresh values are saved so you do not have to refresh 
each time the NetServer status dialog is opened. 


Note: Timed refresh values are saved for each system, not for each user. 


To display iSeries NetServer status by using iSeries Navigator, follow these steps: 
1. Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to display a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Status. 
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The iSeries Navigator online help provides more details about each field on the 
iSeries NetServer status dialog. 


View a list of iSeries NetServer shared objects 


You can use iSeries NetServer to access shared resources on an iSeries network. 
These shares consist of the following items, called shared objects: 


* File shares, which share integrated file system directories on iSeries 
* Print shares, which share iSeries output queues 


You can view a list of shared objects from within iSeries Navigator, which allows 
you to see all of the objects that iSeries is currently sharing with PC clients by 
using iSeries NetServer. 


To view a list of currently shared objects in iSeries Navigator, follow these steps: 
1. In iSeries Navigator, expand Network. 

Expand Servers. 

Click TCP/IP to view a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Shared Objects to display a list of currently shared objects. 
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Tip: 


You can also display a list of iSeries NetServer shared objects by using Windows 
clients. To do so, follow these steps: 


For Windows 98 and NT: 
1. Open the Windows Start menu. 
2. Select Find from the Start menu and then select Computer. 


3. In the Computer Name field, specify the server name of iSeries NetServer (for 
example, QSYSTEM1). 


4. Open iSeries NetServer by double-clicking the found computer. 


For Windows 2000 and Me: 

Open the Windows Start menu. 

Select Search. 

Select For files or Folders... 

Click the Computers link. 

In the Computer Name field, specify the server name of iSeries NetServer. 
Click Search Now. 

Open iSeries NetServer by double-clicking the found computer. 
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For Windows XP: 

Open the Windows Start menu. 

Select Search. 

Click Computers or People. 

Click A Computer in the Network. 

Specify the server name for iSeries NetServer in the appropriate field. 
Click Search. 

Open iSeries NetServer by double-clicking the found computer. 
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Note: You must enroll all users who are working with shared objects from the 
QDLS file system into the iSeries system distribution directory. Users who 
are not enrolled in the system distribution directory are not able to access 
file shares from the QDLS file system. Use the Add Directory Entry 
(ADDDIRE) CL command to enroll users in the system distribution 
directory. 


View and configure iSeries NetServer shared object properties 


You can access the server attributes for iSeries NetServer shared objects through 
iSeries Navigator, which allows you to display and change the properties of a file 
or print share. To view the properties for an iSeries NetServer shared object, follow 
these steps: 


Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Shared Objects. 

Right-click a shared object and select Properties. 
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The iSeries Navigator online help provides detailed information about each of the 


iSeries NetServer shared object properties dialogs. 


View shared object status 


You can view the current statistics for a shared object connection to iSeries 
NetServer through iSeries Navigator. You cannot change or reconfigure shared 
object statistics because they are records that contain information only. 


To display iSeries NetServer shared object status by using iSeries Navigator, follow 


these steps: 

Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to display a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Shared Objects. 

Select a shared object. 
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Right-click the session connection and select Status. 


The iSeries Navigator online help provides more details about iSeries NetServer 
shared object status. 


View a list of iSeries NetServer sessions 


iSeries NetServer starts a session whenever a client successfully accesses a shared 


file or print resource. The session displays the PC client, user name, and session 
ID. 


To view a list of active iSeries NetServer sessions, follow these steps: 

Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 
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Expand Sessions to retrieve a list of active sessions. 


View iSeries NetServer session properties 


You can view the attributes for an active iSeries NetServer session within iSeries 
Navigator. This allows you to see the properties of clients that use iSeries shared 
resources. You cannot change or reconfigure these properties because they are 
records of client activity that contain information only. 


To display the properties for an iSeries NetServer session, follow these steps: 
Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Sessions. 
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7. Right-click a user session and select Properties. 


iSeries NetServer supports multiple users, including guests, logged on from the 
same workstation. Information for each session displays the actual user name even 
if the guest account was used for authentication. As a result, you can see duplicate 
sessions with the same workstation and user name. Information will be displayed 
for the following fields: 


¢ Number of connections 
* Number of files open 
¢ Number of sessions 


Notes: 


1. If multiple sessions have been established, they can end when the iSeries 
NetServer idle time-out value has expired. This occurs regardless of whether or 
not there are open files for that session. 


2. Multiple users could be active from the same workstation. In V5R2, ending a 
user session ends only the iSeries NetServer file and print activity for that 
session. However, when the client workstation detects the loss of connectivity 
for one of the sessions, the client workstation may decide to end them all and 
optionally establish new sessions. 


Note: The iSeries Navigator online help provides detailed information about each 
of the iSeries NetServer session properties dialogs. 


View iSeries NetServer session connection status 


You can view the current statistics for a workstation session connection to iSeries 
NetServer through iSeries Navigator. You cannot change or reconfigure the session 
connection statistics because they are records of client activity that contain 
information only. 


To display iSeries NetServer session connection status by using iSeries Navigator, 
follow these steps: 


Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to display a list a TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Sessions. 


Select a session. 
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Right-click the session connection and select Status. 
The iSeries Navigator online help provides more details about iSeries NetServer 


session connection status. 


Note: iSeries NetServer now supports multiple users, including guests, logged on 
from the same workstation. 


Stop an iSeries NetServer session 


iSeries NetServer now supports multiple users, including guests, logged on from 
the same workstation. You can end single or multiple user sessions on a 
workstation. 
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If multiple users are active from the same workstation, ending a user session will 
end only the iSeries NetServer file and print activity for that session. In addition, 
ending an active iSeries NetServer session stops the client workstation use of file 
or print shares on that session. To stop an active session, follow these steps: 


Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Sessions. 
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Right-click the user sessions and select Stop. If more than one session is active 
on this same workstation, you are given the option of ending multiple user 
sessions on the workstation. 


Note: Stopping the session of a client does not stop the client from reconnecting to 
the iSeries server and using iSeries NetServer again. 
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Chapter 6. iSeries NetServer file shares 


An iSeries NetServer file share is a directory path that iSeries NetServer shares 
with clients on the iSeries network. A file share can consist of any integrated file 
system directory on the iSeries server. You can create, display, configure, and end 
iSeries NetServer file shares. The following topics provide you with the 
information that you need to manage file-sharing: 


“Create an iSeries NetServer file share” 


Describes how to create a new file share by using iSeries Navigator. A file share 
enables clients to access iSeries resources. 


“Control access to iSeries NetServer file shares” on page 38 


Describes how you can set access for a file share and lists the steps you must 
take to do so. 


“Stop file sharing” on page 38 
Describes the steps you must take to stop file-sharing. 


“Access iSeries NetServer file shares with a Windows client” on page 38 


Describes how to access file shares with your Windows client. 


In general, all integrated file system limitations and considerations apply when 
accessing shared directories with iSeries NetServer. 


See |“Case sensitivity of file systems for iSeries NetServer” on page 39} for 


information about iSeries file systems and case sensitivity. 


Create an iSeries NetServer file share 


You can share any directory in the iSeries integrated file system with clients in the 
network by using iSeries NetServer. Creating an iSeries file share allows PC clients 
to easily access resources on iSeries. 


Unlike iSeries Access for Windows, iSeries NetServer does not share the entire 
integrated file system with the network by default. 


To create a new file share by using iSeries Navigator, follow these steps: 
Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Right-click Shared Objects and select New and then File. 


Use the General Properties page to configure the new file share with a name, 
description, access, maximum number of users, and directory path name. 
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8. Use the Text Conversion page to identify which file types will have their 
contents converted from the iSeries file coded character set ID to the coded 
character set ID you specify for the share. 


Note: The iSeries Navigator online help provides more details about iSeries 
NetServer file share properties. 
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Control access to iSeries NetServer file shares 


Designating an access setting for iSeries NetServer file shares through iSeries 
Navigator allows you to control the level of access that PC clients have to objects 
in iSeries integrated file system directory paths. If you set the access of a file share 
to Read only, then clients do not have the authority to change a file. If you set the 
access of a file share to Read/Write, then client users can change any files they 
have authority to in the shared directory paths. 


To set the access for an iSeries NetServer file share, follow these steps: 
Open a connection to iSeries Navigator on your iSeries. 

Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 
Right-click iSeries NetServer and select Open. 

Expand Shared Objects. 

Right-click a file share and select Properties. 

Click the pull-down menu in the Access field. 
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Set the file share access to read only by selecting Read only. Set the file share 
access to read/write by selecting Read/Write. 


Stop file sharing 


To stop the sharing of an integrated file system directory, follow these steps: 
Open a connection to iSeries Navigator on your iSeries. 

Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 
Right-click iSeries NetServer and select Open. 

Expand Shared Objects. 

Right-click a shared file and select Stop Sharing. 
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Note: A file share that is stopped is still available to all clients that are already 
using the share. A stopped file share is not available for any new client 
requests. Any attempts to create a new connection to the stopped share 
will fail. 


Access iSeries NetServer file shares with a Windows client 


You can use your Windows client to access iSeries file shares with iSeries 
NetServer. 


To access file shares by using Windows, you can either map file shares to logical 
drives or use Universal Naming Convention (UNC) mapping. You may find it 
easier, however, to work with logical drive letters as opposed to UNC mapping. 


To map an iSeries NetServer file share to a logical drive on your Windows client, 
follow these steps: 


1. Right-click the Start button and choose Explore to open the Windows Explorer. 


2. Open the Tools pull-down menu on the Windows Explorer and select Map 
network drive. 
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3. Select the letter of a free drive for the file share. 


4. Enter the name of an iSeries NetServer file share. For example, you could enter 
the following syntax: 


\\QSYSTEM1\Sharename 


Note: QSYSTEMI1 is the system name of iSeries NetServer on the iSeries server 
and Sharename is the name of the file share you want to use. 


5. Click OK. 

To use your Windows client to find iSeries NetServer, see |“Find iSeries NetServer 
lon the iSeries network” on page 19|for instructions for your specific Windows 
client. 


Case sensitivity of file systems for iSeries NetServer 


All iSeries file systems, except for three, are case insensitive and do not cause case 
sensitivity conflicts with supported PC clients. 


The following three iSeries file systems, however, are case sensitive: 

* QOpenSys 

* User-Defined File System (UDFS), if specified case-sensitive when created 

* Network File System (NFS), depending on which remote file system you access 


The case of file names is significant in case-sensitive file systems. The names can 
consist of both uppercase and lowercase characters. For example, the QOpenSys 
file system could have three files in it with the following names: 

NETSERVE. DAT 


NetServe.DAT 
netserve.DAT 


These three files have technically different names (because QOpenSys is 
case-sensitive) and represent three distinct, separate objects on iSeries. 


All the PC clients that iSeries NetServer supports are case insensitive. The case of 
file names is insignificant because all file names are translated automatically into 
uppercase. For example, from the three example files that are listed above, all the 
PC clients iSeries NetServer supports would recognize only the following file: 


NETSERVE. DAT 


Therefore, iSeries NetServer may not work correctly when using files in case 
sensitive file systems. This is particularly true when working with case sensitive 
file systems while you are using a graphical user interface such as the Windows 95 
Explorer. 


All other iSeries file systems are case insensitive and do not cause case-sensitivity 
conflicts with supported PC clients. 
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Chapter 7. iSeries NetServer print shares 


You can share any iSeries output queue with PC clients in the network by using 
iSeries NetServer. Consequently, you can create, display, configure, and end print 
shares. A print share consists of any iSeries output queue and supports the 
following spooled file types: 


¢ User ASCII 

¢ Advanced Function Printing” 
* SNA Character String 

¢ Auto-select 


The spooled file type determines how the spooled files are created on your iSeries. 
If autoselect is not used, the spooled file type must correspond exactly to the 
output queue destination or you will experience a print error. 


Windows support for iSeries NetServer print shares 


The following topics provide you with the information that is necessary to manage 
print-sharing: 
“Create an iSeries NetServer print share” 
Describes how to create a print share. Creating a print share enables you to 
give clients access to network printers. 


page 42 
Describes how iSeries NetServer acts as a print server and tells you how to 
access a print driver. 
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“Stop print sharing” on page 42 
Describes the steps that you must take to stop print-sharing. 


“Use iSeries NetServer print shares with Windows 98 and Me” on page 42 


“Use iSeries NetServer print shares with Windows 2000 and XP clients” on 
page 44 


Describes how to access print shares with your Windows 2000 or XP client. 


Create an iSeries NetServer print share 


You can share any iSeries output queue with clients in the network by creating an 
iSeries NetServer print share. Creating an iSeries NetServer print share allows you 
to give PC clients access to iSeries network printers. 


To create a new iSeries NetServer print share by using iSeries Navigator, follow 
these steps: 


1. Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 
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6. Right-click Shared Objects and select New and then select Printer. 


7. Configure the new print share with a name, description, output queue, printer 
driver, spooled file type, publishing status, and printer file by using the 
General - Properties dialog. 


The iSeries Navigator online help provides detailed information about the iSeries 
NetServer print share dialog. 


PC client print drivers for use with iSeries NetServer print shares 


iSeries NetServer acts as a print server that makes the services of the iSeries 
Network Print Server (NPS) available to PC clients. NPS allows clients with the 
proper print drivers to spool print jobs onto iSeries output queues of various 
spooled file types. These spooled file types include the following: 

* User ASCII 

* Advanced Function Printing (AFP"") 

* SNA Character String (SCS) 


¢ Auto-select 


You can access AFP and SCS print drivers for the supported Windows PC clients 
in either of these ways: 


¢ AFP print drivers are available for free download from the IBM Printing Systems 
Company World Wide Web (WWW) site. 


To download AFP drivers for your PC client go to the IBM Printing Systems 


Company Web site at: |http://www.printers.ibm.com/|“™ . 


* You can also find stand-alone AFP and SCS print drivers in the 
Qca400\Win32\Instal1\Printer folder. Under the appropriate directory for your 
client type, you will find the AFP and SCS print drivers. 


Stop print sharing 


You can stop print-sharing from within iSeries Navigator by following these steps: 
Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to retrieve a list of the TCP/IP servers available. 

Right-click iSeries NetServer and select Open. 

Expand Shared Objects. 

Right-click a shared printer and select Stop Sharing. 
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Use iSeries NetServer print shares with Windows 98 and Me 


You can use Windows 98 and Me to access iSeries print shares with iSeries 
NetServer. To access iSeries NetServer print shares with Windows 98, follow these 
steps: 


1. Open the Windows Start menu. 

Select Find and then select Computer. 

Enter the iSeries NetServer server name. 

Click Find Now. 

When the computer is found, double-click on it. 
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Tip: 


Double-click on the shared printer. 

Select Yes to setup the printer. 

Select the appropriate response for MS-DOS based programs. 
If prompted, select the appropriate driver for your printer. 
Click Next. 


. If prompted, enter a printer name for the shared printer and then click Next. 


Choose whether or not to print a test page from the shared printer. 
Click Finish. 


If you are not sure which Windows client you are using, follow these steps: 


10. 
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Open My Computer. 
Open Printers. 

Start Add Printer. 
Click Next. 

Select Network Printer. 
Click Next. 


Specify the network path of the iSeries NetServer print share. For example, 
you could enter the following network path: 


\\QSYSTEM1\Sharename 


Note: QSYSTEM1 is the server name of iSeries NetServer on the iSeries server. 
Sharename is the name of the iSeries NetServer print share. 


Click Next. 


Select the appropriate print driver for your printer. You may need to provide 
the necessary print driver with your Windows installation CD-ROM. 


Note: Windows clients automatically select the appropriate printer driver 
based on the driver that you specified for the print share. You may skip 
this step if this is the case with your particular PC client. 


Click Next. 


Use iSeries NetServer print shares with Windows NT 


You can use your Windows NT client to access iSeries print shares with iSeries 
NetServer. To do this, follow these steps: 


1. 
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Open the Windows Start menu. 

Select Find and select Computer. 

Enter the server name for iSeries NetServer on the iSeries server. 
Click OK. 

Open iSeries NetServer by double-clicking the found computer. 
Right-click a shared printer and select Open. 

If prompted, select Yes to set up the printer on your computer. 

If prompted, select the appropriate print driver for the shared printer. 
Click Next. 

When you have properly set up the shared printer, click Finish. 
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Use iSeries NetServer print shares with Windows 2000 and XP clients 


You can use your Windows 2000 or XP client to access iSeries print shares with 
iSeries NetServer. To do this, follow these steps: 


Open My Network Places. 

Double-click Computers Near Me. 

Select the system name of iSeries NetServer on the iSeries server. 
Open iSeries NetServer by double-clicking the found computer. 
Right-click a shared printer and select Open. 

If prompted, select Yes to set up the printer on your computer. 

If prompted, select the appropriate print driver for the shared printer. 
Click Next. 

When you have properly set up the shared printer, click Finish. 
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Chapter 8. iSeries NetServer domain logon support 


In an effort to remove the need for a Windows server to handle domain logon 
services in an SMB domain, iSeries NetServer has been enhanced to provide this 
support. Windows clients are able to logon to an iSeries NetServer domain just as 
they would logon to an NT domain. Additional advantages of iSeries NetServer 
providing these services include: 


* iSeries as a primary location for user information and domain logon 
authentication (including home directory and logon scripts) 


* Storage and retrieval of Windows user profiles on iSeries, including Desktop, 
Start Menu, Favorites, and so on 


* Storage, retrieval, and maintenance of Windows system policies from the iSeries 


iSeries NetServer provides specific services necessary or directly related to logon 
support. Thus, iSeries NetServer will identify itself as a PDC and function as a 
Domain Master Browser (DMB) if it is configured as a Logon Server, but iSeries 
NetServer cannot function as a Backup Domain Controller, nor can it dynamically 
replicate Logon related information to WinNT Domain Controllers. See the 
following pages for more information: 


“iSeries NetServer and client PC configuration” 


me 
SO} 
e 8 
Ba. 
of 
Oo Oo 
5 7 
wn 
a 
en 
nO, 
ae 
= ae 
jo} 
ae) 
+O 
=| 
ae) 
ieje) 
for 
RB 
oO 
ay 
jo} 
5 
a 
fia 
= 
a 
58 
a) 
i] 
a 
5 
a) 
oO 
Q 
oO 
a. 
oS 
a 
D 
~ 
oO 
ra) 
o. 
< 
5 
i 
ie je) 
la) 
jo} 
a 


“Logon server setup” on page 46) 

Describes the actions taken when iSeries NetServer starts as a Logon Server. 
“Logon server home directories” on page 46 

Describes how to configure and map to Logon Server home directories 
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“Logon scripts” on page 50 
Describes what logon scripts are and how they are used by iSeries NetServer. 
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iSeries NetServer and client PC configuration 


iSeries NetServer is configured as a Logon Server from the Next Start dialog 
chosen from the General tab of iSeries NetServer properties. 


Windows 98 and Me do not require any additional software to take advantage of 
the Logon Server support. The client interacts with the iSeries Logon Server using 
standard LAN Server networking APIs. Windows NT 4.0, Windows 2000 
Professional, and Windows XP Professional clients require the installation of the 
IBM Networks Primary Logon Client (IPLC) product. This product can be 
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downloaded from the iSeries NetServer web page 


(www.ibm.com/eserver/iseries/netserver/primarylogon.htm). This Primary Logon 
Client overrides the normal Windows NT logon flows and uses networking APIs 
that iSeries NetServer supports. 


Note: Only install the IBM Networks Primary Logon Client for Windows (IPLC) 
on Windows workstation installations. Never install it on a PC configured as 
a server or a terminal server because it will conflict with that type of 
installation and not allow any user to log on. A PC server does not logon to 
another server. Also, remember that iSeries NetServer Domain Logon 
Support can remove the need for such servers. 


Logon server setup 


When iSeries NetServer starts up as a Logon server, the following actions are taken 
in addition to normal startup: 


* Acheck is done for the existence of the NETLOGON share. If this share does not 
exist, then a directory is created 
(/QIBM/UserData/OS400/NetServer/NetLogon) and shared as NETLOGON 
with read-only access. Logon Scripts, system policies, and default user profiles 
can be placed in this directory. 


* iSeries NetServer registers and begins listening on the following TCP/IP 
NetBIOS names: _ MSBROWSE_ <01>, domain<1E>, domain<1C>, 
domain<1B>, domain<1D>, domain server<00>, server<20> 


From a Windows DOS prompt, issuing nbtstat -a server_name will list these 
registered names. If WINS is configured for iSeries NetServer, then these names are 
also registered with WINS. If there is a conflict (meaning some other computer 
already holds one of the unique domain names), then only that particular service 
does not start and CPIB687 (RC=2) message is sent to QSYSOPR describing the 
conflict. See the ae more information on this error 


message. 


Logon server home directories 


Configuring home directories on the Logon Server 


A PC user can be configured to have a home directory and can be collectively 
backed up and maintained on the server. The Logon Server that authenticates the 
user determines the location of their home directory. By default, an iSeries Logon 
Server considers the Home directory path stored in the user profile (on the iSeries 
server) as the PC client user’s home directory too. For example, if user JOE has a 
home directory configured in his user profile as /home/joe, then this path is 
treated as a UNC name (Windows 98) for the client and the client’s view of this 
folder would be \\logonServer\home\joe. The /home directory would need to be 
shared with a share name of HOME in order for a Windows 98 client to map a 
drive to it. 


Mapping a drive to your home directory 


Windows NT, 2000, and XP clients using the IPLC will attempt to map a drive to 
the user’s home directory automatically when they log on. The Windows 98 and 
Me clients use the next freely available drive letter. The Windows 98 client does 
not automatically map to the user’s home directory. To do so after logging on, 
issue the following command from a command prompt: > net use H: /HOME 
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where H is any drive letter you want your home directory to be mapped to. To 
have the Windows 98 client perform this mapping automatically at logon time, this 
command can be placed in a Logon Script in the NETLOGON share on the Logon 
Server. 


IPLC special home directory shares 


During the logon process, Windows NT 4.0 with the IPLC installed can request 

that the user’s home directory be shared, provided that a share with the same 

name as the user does not already exist (in which case, the existing share is taken 

as the user’s home directory). iSeries NetServer honors these share requests in a 

special way. 

* Only the user’s home directory configured in their iSeries user profile can be 
shared. 


* The home directory is shared temporarily. It is not a permanent share and it 
exists only until iSeries NetServer is ended. The client will need to re-share it on 
the next instance of the server. 


* The name of the share is usually the name of the user on the client. If the user’s 
name is greater than 12 characters (resource name limit), then the special share 
name will be a mangled name based on the user name. 


Home Directories on other servers 


Sometimes it is desirable to store user home directories on a server other than the 
Logon Server. This may be the case if a lot of data is normally transferred to and 
from the home directories (perhaps they are also being used to serve roaming 
profiles) and the Logon Server is not equipped to handle this extra load and 
provide responsive Logon support to many clients at the same time. Remote home 
directories can be configured in the user profile for the iSeries server. The remote 
home directory is actually a share on a different server and it is specified by the 
QNTC path to the share. For example, if home directories are to be stored in share 
HOME on iSeries server DRACO2, then the home directory field for user JOE 
could be given as /qntc/draco2/home. Alternatively, individual home directories 
could be shared from DRACO2, in which case the home directory above would be 
given as /qntc/draco2/joe. 


Specifying the QNTC pathname here does not imply that the client is going 
through the QNTC file system on the Logon Server to reach the remote share on 
the home directory server. The client makes a separate direct connection to the 
remote home directory share. The reason why the QNTC path format was chosen 
is to be consistent across the system since this is stored in the user’s profile. This 
way, other applications running locally on the iSeries server would, in theory, be 
able to access this same home directory. 


Note: Since this configuration also changes the home directory for the local user 
that signs on to the iSeries system via PC5250, for example, the ramifications 
of this need to be considered if there is a possibility that the user will sign 
on directly to the iSeries server configured as a Logon Server. 
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Roaming profiles 


iSeries NetServer configured as a Logon Server is capable of supporting roaming 
profiles. Roaming profiles store their personal PC configuration (desktop icons, 
start menu, registry settings, etc.) on a file server in addition to caching them 
locally. In this way, they can logon on from various computers and always get their 
same desktop and profile settings. Other names this function is known by include 
roving users and profile serving. 


In many network environments roaming profiles are not necessary because users 
tend to have their own workstation they always log in from, and the extra time 
needed to download and save a personal profile when the function is used only 
rarely may not be justified. However, there are PC environments where users need 
to hop from workstation to workstation, or they have multiple PCs that should be 
kept in sync (perhaps a mobile laptop in addition to a desk PC). These are ideal 
cases to make use of roaming profiles. 


Another benefit of storing profiles on the server is that they can be made 
mandatory. For example, a user cannot change their profile if it is mandatory. 
Thus, mandatory profiles are downloaded from the server at logon, but are not 
saved back during logoff. 


See the following pages for more information: 


° |“Configuration from Windows NT, 2000, and XP clients” 


* |“Mandatory profiles” on page 49 


* |“Roaming profile issues” on page 50 


Configuration from Windows NT, 2000, and XP clients 


Windows NT, 2000, and XP provide more flexibility with roaming profiles. By 
default, the client attempts to download the user’s roaming profile from the server. 
If the client does not attempt to do this, you must ensure that the profile is set to 
Roaming, in order to take advantage of the support. 


As a logged-on administrator, use the following steps: 


For Windows NT or 2000: 

1. Click Start and select Settings> Control Panel. 
2. Double click System. 

3. Click the User Profiles tab. 

4. Select the user profile and click Change Type. 


For Windows XP: 

Click Start> Control Panel. 

Double click Performance and Maintenance. 
Double click System. 

Click the Advanced tab. 

In the User Profile section, click Settings. 


Oo ONS 


Select the user profile and click Change Type. 


You can also copy an existing Windows user profile to the server in order to prime 
the roaming user profile for a user. From the User profile dialog you opened in 
the previous steps, click the Copy to button. Locally cached profiles (preferences 
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and settings) can be replicated to the Logon Server just like you would copy user 
folders from \Windows\Profiles for Windows 98. Make sure you are copying the 
profiles into the folder that the NT clients will load them from. See the next section 
for discussion on profile locations. If you are migrating multiple profiles from an 
NT server to an iSeries Logon server, then it will probably be more efficient to 
copy over the entire \WINNT\Profiles folder. 


By default, clients with the IPLC attempt to load or store roaming profiles in the 
subdirectory, Profiles, of the user’s home directory. You can override this behavior 
by changing the user Profile Path that is configured. 


For Windows NT: 

1. Click Start and select Programs> Administrative Tools> User Manager. 
2. Double click the user and select the Profile tab. 

3. Specify the profile path. 

4. Click OK. 


For Windows 2000: 

Click Start and select Settings> Control Panel. 
Double click Administrative Tools. 

Double click Computer Management. 

Expand Local Users and Groups. 

Click the Users folder to display the list of users. 
Double click the user and select the Profile tab. 
Specify the profile path. 

Click OK. 


OO OP ON BG I: 


For Windows XP: 

Click Start and select Control Panel. 

Double click Performance and Maintenance. 
Double click Administrative Tools. 

Double click Computer Management. 

Double click the user and select the Profile tab. 
Specify the profile path. 

Click OK. 


NO > ON = 


The Profile path is typically specified in the following form: 
\\logonserver \ profilesShare \ profileDirectory 


Mandatory profiles 


Mandatory profiles are roaming profiles that the don’t get updated when the user 
logs off. Even if the user makes changes to their desktop settings while logged on, 
these changes won’t be saved, and they will see the same settings the next time 
they log on. Windows 98, NT, 2000, and XP clients support the loading of 
Mandatory profiles. 


To change a Windows 98 profile to be mandatory, open the folder on the Logon 


server where the profile is stored and change the extension of the user.dat file to 
man (i.e. user.man). 
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To change a Windows NT, 2000, or XP profile to be mandatory, open the folder on 
the Logon server where the profile is stored and change the extension of 
Ntuser.dat from .dat to .man. 


To prevent the user from altering their profile in any fashion, you will also need to 
ensure the share is configured as read-only and/or the appropriate IFS directory 
permissions are set. 


Roaming profile issues 


There are several issues or conflicts that can occur in a roaming profile 
environment that basically come down to administrative questions. 


Most items stored on the desktop or in the Start folder are shortcuts, so if the 

different PCs that the user is logging on from aren’t set up the exact same way 
(installed programs, folders, etc.) then the shortcuts may not be valid, and you 
may see a series of invalid shortcut errors when you log on in these situations. 


For the same reason as above, it’s best not to mix and match different Operating 
Systems for the same user. Windows 98 and Windows NT profiles can co-exist in 
the same profile folder on the server; however, because different types of 
information are stored in each case, you may see inconsistencies; particularly if the 
profiles are not mandatory. 


If the same user is logged on to the same Logon Server from different clients, user 
profile info is saved independently during logoff for each. So, the last one to log 
off will reflect the actual changes saved to the profile. 


You may see the message, Your roaming profile is not available. You will be logged 
on with your local profile. This typically means that the roaming profile could not 
betta inthis extsctedl place, Sec [Cong mater Com WindowsNs 2000, ancl 
ir clients” on sare aller information on copying a user profile to the server. 


The error may also indicate that either the configured roaming profile folder is not 
shared or the IFS directory permissions do not allow access. 


Users may, inadvertently or not, store files other than shortcuts on their desktop. If 
these files are very large, it can significantly slow down the logon process. A 
workaround is to specify certain profile subfolders not be included in the transfer 
between Logon Server and client. Windows 98 only provides two general 
categories, but Windows NT with service pack 4 gives you a lot more granularity 
with registry settings. 


Logon scripts 


Logon scripts are DOS batch files that the client downloads and runs during the 
logon process. Logon scripts are placed in the NETLOGON share (by default, the 
NETLOGON share is /QIBM/UserData/OS400/NetServer/NetLogon for iSeries 
NetServer) on the Logon Server. Special naming conventions must be followed for 
an iSeries Logon Server to report logon script file names to the client. The 
following steps are used by iSeries NetServer to determine the logon script name. 
Assuming a user name of KRISTY, who is a member of the iSeries Primary Group 
PCGROUP. 


1. If the file KRISTY.BAT (case does not matter for case insensitive file systems) 
exists in the NETLOGON share, then that file is used as the logon script. 


2. Else if PCGROUPBAT exists in the NETLOGON share, then that is used. 


50 Networking iSeries support for Windows Network Neighborhood (iSeries NetServer) 


3. Else the file name QZLSDEFT-.BAT is used. If that file does not exist or is not 
accessible, then no logon script is processed. 


Notes: 


1. Placing a new user or group logon script in the NETLOGON share is not 
guaranteed to be picked up by the user at the next logon without restarting 
iSeries NetServer because this item is cached. However, performing a 
CHGUSRPRF command on a user (with or without options) will cause the 
cache to be updated during the next access and the new logon script should be 
found. 


2. Specifying a logon script name in the local user profile in User Manager on 
WinNT does not override the logon script selection criteria given above. 


If the user is logging on from a PC with the IPLC, that client is limited to DOS 8.3 
logon script file names. For example, if the user logging on is Administrator, and it 
matches a profile on the iSeries called ADMINISTRA (10 char max), then the first 
logon script file checked for will be ADMINIST.BAT. 


Because many more environment variables are defined for WinNT/2000/XP, these 
platforms are capable of running more flexible logon scripts than the Windows 98 
client. For example, from Windows NT with service pack 4, the following 
environment variables are understood: %Homedrive%, %Homepath%, 
%Homeshare%, %OS%, %Userdomain%, %Username%, %Logonserver%, and 
%Processor_level%. 


The following is an example of a logon script designed for users logging in from 
NT clients: 


echo Logged into domain: “Userdomain% 


echo Mapping X drive to personal share... 
net use x: %logonserver%\%username% 


echo Mapping Y drive to operating system specific share... 
net use y: %logonserver%\%0S% 


echo Synchronizing PC time with the server 
net time %logonserver% /SET 
pause 


Policy serving 


Policy serving in an iSeries domain works basically as it would in an NT domain. 
If the client is configured for Automatic Remote Update, then it should look for the 
policy file in the NETLOGON share of the Logon Server and apply the relevant 
policies during logon. This should be the default. Otherwise, Manual Remote 
Update can be used to load the policy from a different share. This setting can be 
checked in the following registry key: 

HKLM \System\CurrentControlSet\Control\ Update, value name UpdateMode. A 
data value of 1 means automatic. 


Policies are a batch of changes that are applied to the PC’s registry that control and 
restrict a number of things, including what shows up on the user’s Start menu, 
whether the user can install software, what the desktop looks like, which 
commands are restricted, and so on. When you edit a policy file, you are making 
changes based on a template which you select. Windows-specific shipped 
templates include common.adm, winnt.adm, and windows.adm. Other applications 
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may provide their own templates that allow the restriction of certain functions in 
the application. For example, iSeries Access provides several. 


System policy files are created with the System Policy Editor (SPE), usually found 
as poledit.exe. The same editor can run on different OS levels, but it is important 
to understand that policy files created on Windows 98 and Me can be used by 
Windows 98 and Me (not Windows NT, 2000, or XP) machines and the file should 
have the name CONFIG.POL. Policy files created on Windows NT, 2000, and XP 
cannot be used by Windows 98 or Me and must have the name NTCONFIG.POL. 


Be very careful when implementing system policies. You can easily lock out a 
function that you did not intend to on a PC, and since policies are applied to the 
local registry, it will remain locked out until you specifically turn it back on in the 
policy file so that the change can be picked up during the next logon. 


Browsing support 


When iSeries NetServer is configured as a Logon Server, it tries to become the 
Primary Domain Controller (PDC) for the domain. Part of that responsibility is the 
role of the Master Browser (MB). This includes being the Domain Master Browser 
(DMB) for the domain and a Local Master Browser (LMB) for the subnet. 


Browsers maintain the list of computers for their respective domain and a list of 
reachable domains. Computers that have SMB resources to share, announce 
themselves to the local subnet (usually every 12 minutes). The LMB for that 
domain and subnet listens for these announcements and adds these computers to 
their browse list. Backup Browsers on the subnet periodically contact the LMB for 
the most recent list. If the LMB knows who the DMB is, it will periodically 
announce itself to the DMB, which in turn asks the LMB for its most recent local 
(same subnet) list to merge with the DMB’s own. The LMB will periodically ask 
the DMB for the complete master list. In this way, each browser will eventually 
have a complete list of computers sharing resources for their domain, and the list 
will be at most 45 minutes old. 


Note: For this support to work as intended, the Browsing Interval configuration 
property should be left as the default 720 seconds. 


Tips and techniques 


The following tips and techniques help you to effectively use iSeries NetServer as a 
Logon Server. 


Verifying which Logon Server actually validated your logon 


To configure a Windows 98 or Windows Me system to display a message at logon 
time that tells you exactly which server and domain it logged into: 


1. Open regedit on the Windows machine and go to 
HKEY_LOCAL_MACHINE\Network\ Logon. 


2. Choose Edit >New >DWORD value. 
3. Name the new value DomainLogonMessage. 
4. Set the data value for DomainLogonMessage to 1. 


Note: Environment variables are available for Windows NT, 2000, and XP to 
query this type of information. 
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Eliminating extra message questions for roaming users logging on from NT, 
2000, and XP 


You may see a message similar to one of the following during logon: 
* Your locally stored profile is newer than the one stored on the server. 
* Aslow network connection to the Logon Server has been detected. 


Then you are asked if the locally cached profile should be used instead. If you 
want to eliminate these types of questions and always download the roaming 
profile on the server for this particular PC, then perform the following to have the 
cached profile deleted after logoff: 


1. Open the registry and go to HKLM\Software\Microsoft\ Windows 
NT\CurrentVersion \ Winlogon 
2. Create a new REG_DWORD item called DeleteRoamingCache. 


3. Give the new item a data value of 1. 


Note that if the Logon Server is unavailable, this user will be reduced to logging 
on locally with the Default User profile, if at all. 


Backup Logon Servers 


iSeries NetServer does not currently offer the concept of a Backup Logon Server 
that can automatically take over in the unlikely event that the primary server goes 
down. However, planning a careful replication strategy ahead of time can make 
this process relatively painless. 


1. Choose an iSeries server as a backup server that is not currently configured as 
the Logon Server for the domain. 


2. Backup the critical logon directories that you use to this server: NETLOGON, 
home, users, etc. 

3. Keep the user profiles in sync between the Logon Server and the Backup. 
Management Central can be used for this. 

4. When the Logon Server is down or a switch-over needs to be made, select the 
Logon Server role option in the NetServer properties of the Backup and restart 
iSeries NetServer. 

5. If not using WINS, update the centrally administered LMHOSTS file if 
necessary. 


Use Browstat.exe to verify domain status 


Besides nbtstat, Browstat is also a helpful Microsoft utility that comes with the NT 
Resource Kit, and Developer Studio subscriptions. It has several functions that 
iSeries NetServer can support including STATUS, ELECT, GETBLIST, GETMASTER, 
GETPDC, and VIEW. 


Troubleshoot the logon server 


Cannot find the Logon Server? 


Most likely, the PC message you see are similiar to one of the following: 
* No domain server was available to validate your password... 
* The system could not log you on now because the domain X is not available. 


This can occur for a number of reasons: 
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* The client cannot resolve to the Logon Server. This is the most common reason 
and there can be a variety of causes, depending how the network is configured. 
The client PC must be able to get the IP address of the Logon Server based on 
the domain name. If the client and Logon Server are located on different TCP/IP 
subnets, then typically broadcast queries are not sent across. There are three 
solution strategies: 


1. It may just work using the domain discovery support of the Microsoft 
Browsing protocol/support . The iSeries Browsing support is discussed in a 
previous section, but the basic idea is that if at least one browser server for 
the domain exists in the subnet that the PC will log on from, and that LMB 
has knowledge of the DMB (Domain Master Browser), then the client can ask 
it for the name of the Logon Server, after which normal name resolution can 
proceed (DNS, etc.). However, there is not always an LMB available to 
service these requests, and in that case, one of the following backup solutions 
should be put in place. 


2. WINS. Windows Internet Name Service is the general solution and 
recommended for complex TCP/IP networks because computers AND the 
services they render are matched with IP. It requires at least one WINS server 
running on a computer with that capability somewhere on the network. 
Then, each computer needing the service should be configured with the IP 
address of the WINS server. This configuration is not covered here. 


3. Static LMHOSTS configuration file on the PC. Host lines can be appended 
with #PRE and #DOM:domain directives to preload domain controllers into 
the name cache. See the sample files shipped with Windows for more 
information. Note that LMHOSTS files can include files on servers so that 
this solution can still be centrally administered. 


Note: The Logon support provided by iSeries NetServer is for clients in the 
same TCP/IP network segment as the server. If your client is in a 
different segment or subnet, then these resolution strategies are not 
guaranteed to work. However, a trick that often works for Windows 
NT, 2000, or XP clients is to change the workgroup of the client 
machine to one that is different than the domain name assigned to 
iSeries NetServer. 

* iSeries NetServer is not started or it didn’t start as a Logon Server for the 
domain in question. Check that it is configured as a Logon Server and that there 
are no conflict messages in QSYSOPR. If you see a CPIB687, read the detailed 
description for more information on the exact nature of the conflict. 


User name could not be found 


This message normally indicates that the user attempting to log on does not have a 
user profile on the iSeries Logon Server. A guest user may not logon to an iSeries 
domain. In extreme cases where the Logon Server is very busy or slow, the user 
may not be making it into iSeries NetServer’s cache quick enough to respond. If 
this is the case, attempting the logon again should succeed. 


Password incorrect 


You are likely to see the following messages when attempting to log on in this 
situation: 


* The domain password you supplied is incorrect or access to the Logon Server 
has been denied. 
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* The Logon attempt was unsuccessful. Select Help for possible causes and 
suggested actions. 


Here are the possible causes for these messages and resolutions: 


* The password you logon to the domain with doesn’t match the password in 
your iSeries user profile. Use your iSeries password and try again. 


* The password in your iSeries profile has expired. Unfortunately, you cannot 
change your iSeries password through Windows, so this must be directly done 
to your profile. 


* Your iSeries user profile is disabled. The administrator must enable it. 


* You are disabled for iSeries NetServer access. The iSeries NetServer 
administrator can check this condition and reenable you from iSeries Navigator. 


¢ Although you are typing the correct password, Windows 98 is using an old 
cached password. The boot drive on the client PC needs to be scanned for a 
user.pwl file and then remove this file. 


* For Windows NT, 2000, and XP it is possible that the wrong machine is being 
resolved to. Try prefacing the user name with the domain name in the logon 
prompt like this: domain\user, where user is the username and domain is the 
domain name. 


For Windows NT, 2000, and XP your password also has to match the password 
stored in the local profile if you have a local profile. If these do not match, then 
you will see a message like, The system could not log you on. Your network 
account and password are correct, but your local account password is out of sync. 
Please contact your administrator... 


Cannot find the iSeries NetServer domain through Network Neighborhood. 


You have configured iSeries NetServer as a Logon Server for domain X, but X does 
not show up in the Microsoft Windows Network of domains. Some possibilities 
are. 


* iSeries NetServer failed to come up as the DMB because of a conflict with 
another computer. Check for message CPIB687 (RC=2) in QSYSOPR. 

* iSeries NetServer is not configured for WINS if WINS is in use. 

* The client PC is not properly configured for WINS. 

* There is no Browser in the local subnet of the PC that is a member of domain X. 


Can log on but do not see my home drive mapped for NT, 2000, or XP clients 
even though the share name exists 


The typical problem here is that although the share was created successfully from 
the client, the path name does not actually exist on the server. When you create a 
user profile on the iSeries, a default home directory path is put in the profile 
(/home/user), however, the actual user directory in home is not created 
automatically. You need to do this manually. For example: ===> CRTDIR 
‘/home/USER1’ 


I want to use a roaming profile from Windows NT, 2000, or XP, but the option to 
change it from ‘Local’ to Roaming’ is disabled 


Remember, that you must be logged onto the target domain with an administrating 
profile (not the profile you want to change to roaming) in order for the option to 
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be available. In V5R1, iSeries NetServer is able to map longer Windows user names 
to truncated iSeries profile names. So, you can do the following: 


1. Create the user profile ADMINISTRA on the iSeries 


2. Give ADMINISTRA a password that matches the password for Administrator 
on the Windows NT client 


3. Now log onto the iSeries domain with the Administrator profile. 
4. Open Control Panel, and then open System. 
5. Click on the User Profiles tab and make the appropriate changes 


My profile is listed as Roaming’, but changes to my settings (or desktop, etc.) 
do not get saved 


The settings get saved to the locally cached copy of your profile, but they are not 
being updated on the server. This is readily apparent if you try to log on from a 
different workstation and you don’t see the updates. This problem can occur when 
the Windows client cannot access the user profile directory where the user profile 
is to be stored. The following are some things to check: 


* Make sure the appropriate access rights are set on each part of the path on the 
Logon Server. 


* Make sure the path is spelled correctly if it is being specified in the User Profile 
settings on the workstation. 


* Also check that unsupported environment variables are not being used. Some 
environment variables are not active/usable until after logon. For example, if 
you specify Ylogonserver% \ profiles\ %username% as the Profile path in User 
Manager on a Win NT workstation with a service pack less than 3, then the 
client will be unable to resolve the %logonserver% environment variable. Try 
using \\servername \profiles\username instead. 


* It’s always a good idea to start with a locally cached profile that is copied to the 
Logon Server. 


Locally stored profile is newer than that on the server 


This dialog occurs when you log on and asks you if you want to use your local 
copy instead. Normally, this is a valid message that you can respond Yes to, so that 
network traffic is reduced, or this message is received repeatedly after just logging 
off from the same workstation. Looking at the time stamps on the two profiles, the 
remote one is 2 seconds older (for example) than the locally cached one which 
indicates that Windows did a final update to the local profile after it copied it out 
to the Logon Server. Ensure that the client’s time is synched with the server’s time. 


Incorrect authentication method used 


The following message is generally received when a user attempts to log in using a 
different authentication method than what the server is currently configured to 
use. 


There are currently no logon servers available to service the logon 
request. 


iSeries NetServer cannot be a Logon Server and have Kerberos authentication 
enabled as well. This message is typically received when a user attempts to sign 
onto an iSeries server using a traditional password, when the iSeries NetServer has 
Kerberos authentication enabled. 
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Chapter 9. iSeries NetServer security 


Using iSeries NetServer securely ensures that unauthorized users do not have 
access to iSeries NetServer resources, configuration, or share data. When you take 
steps to ensure iSeries NetServer security, only authorized users can access iSeries 
NetServer resources and change iSeries NetServer configuration properties. 


You should become familiar with the following topics to ensure the secure use of 
iSeries NetServer on your network: 
“iSeries NetServer user profile authority requirements” 
Find out how iSeries user profile authorities are used in securing iSeries 
NetServer. 
“iSeries NetServer guest user profiles” on page 58 
Learn how to use guest user profiles with iSeries NetServer. 
“Hide iSeries NetServer from the network” on page 58 
Know how hiding iSeries NetServer from Windows Network Neighborhood can 
help keep iSeries NetServer secure. 


iSeries NetServer user profile authority requirements 


iSeries NetServer authenticates client file and print requests that are based on the 
user identity (ID) and password that are used in the Windows desktop logon. If an 
iSeries user profile matches the Windows desktop client user ID, then the 
passwords will be checked. If the passwords do not match, iSeries NetServer will 
prompt the client to enter the correct one. 


Note: If the Windows user ID is longer than 10 characters (also the maximum 
length of the user profile name on the iSeries server), then iSeries NetServer 
truncates the Windows user ID to 10 characters and attempts to match it 
with an iSeries user profile. For example, an iSeries user profile called 
ADMINISTRA could be created to match the Windows Administrator user 
without requiring guest support. 


In order to access iSeries NetServer shared resources, clients may not need an 
iSeries user profile that matches their Windows desktop user. iSeries NetServer can 
provide guest support for those clients that need only basic file and print services. 
This support is not automatically enabled. You can configure it by: 


Right-click on the iSeries NetServer icon and select Properties 
Select the Advanced tab 

Click the Next Start button 

Specify the guest user profile name in the appropriate field 


Po hos 


Note: You need *IOSYSCFG and *SECADM special authority to change the iSeries 
NetServer guest configuration. Changes take effect the next time iSeries 
NetServer is started. In addition, the guest user profile should not have any 
special authorities and should have access only to those iSeries integrated 
file system directories and output queues that are used for basic file and 
print services. 
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iSeries NetServer guest user profiles 


iSeries NetServer supports guest user profiles (this is also known as an anonymous 
user profile). The iSeries server can automatically map an unknown user to the 
guest user profile if you specify a guest user profile. Your network administrator 
can specify and change the guest user profile that iSeries NetServer uses, if 
necessary, on the iSeries NetServer Advanced - Next start page within iSeries 
Navigator. In general, the guest user profile should have very few authorities 
because the guest user is considered a non-trusted user. 


Hide iSeries NetServer from the network 


For an added measure of security you can hide iSeries NetServer from the 
Windows Network Neighborhood. 


To hide iSeries NetServer from the network follow these steps: 

Open iSeries Navigator and connect to the system you want to work with. 
Expand Network. 

Expand Servers. 

Click TCP/IP to display a list of TCP/IP servers available. 

Right-click iSeries NetServer and select Properties. 

Click the Advanced tab and click the Next Start button. 

Select None in the Browsing announcement interval field. 


NQaPro np > 


Note: Setting the browsing announcement interval to None stops the host 
announcements to the network.It also stops domain announcements if 
iSeries NetServer is configured as a Logon Server and may cause 
problems for logon services for some networks. In general, the default 
browsing announcement interval should be left if iSeries NetServer is a 
Logon Server. The default browsing announcement interval is 720 
seconds, or 12 minutes. 
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Chapter 10. Use Windows-style messages with iSeries 
NetServer 


iSeries NetServer can automatically send informational messages to users in the 
following situations: 


* User password is about to expire 


* User is denied access for a variety of reasons when trying to connect to a share 
through iSeries NetServer 

* Active users need to be alerted that the administrator is about to stop iSeries 
NetServer 


In order to use the Windows messages with iSeries NetServer, see the following 
information. 


“Configure the clients” 
Describes the necessary configuration for PC clients to use the messages. 


“Enable the support on iSeries NetServer” on page 60 


Describes the steps to take to enable the iSeries NetServer for messages. 


“New associated iSeries messages” on page 61 


Describes the new text messages added to iSeries NetServer used for clients 
attempting to connect. 


“Display a log of the message send attempts” on page 61 
Describes how to use the iSeries NetServer maintenance program to display 
logged messages. 


“Send custom messages through iSeries NetServer” on page 62 


Describes how to send customized messages to iSeries NetServer users. 
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Configure the clients 


In order for client workstations to receive these messages, the messenger service 
must be active. To activate this service, follow these steps. 


For Windows NT, 2000, and XP: 
1. Click Start > Settings... > Control Panel. 
2. Open Services from Administrative Tools. 


3. Scroll down to find Messenger. Ensure that the status is Started and the 
Startup type is Automatic. 


For Windows 98 and Me: 


You must have the Winpopup.exe program installed. If this is currently installed, 
skip the following installation steps and procede to the Start WinPopup.exe steps. 
If Winpopup.exe is not currently installed, follow these steps: 


1. Click Start > Settings... > Control Panel. 
Click Add/Remove Programs. 

Click the Windows Setup tab. 

Click Accessories. 

Click Details. 

Select the WinPopup. 
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7. Click OK. 


Start WinPopup.exe 

1. Click Start > Run... 

2. Type winpopup.exe in the Open: field. 
3. Click OK. 


For Linux: 


1. You need to enable Samba’s messenger support. Edit the smb.conf file so that it 
contains a message command directive. The following is an example line: 


message command = /bin/bash -c ‘echo -e WinPopup Message from %f on 
$(date): \n >> /tmp/msg.txt; cat %s >> /tmp/msg.txt; echo -e 
\n\n >> /tmp/msg.txt; rm %s' 

2. Restart the Samba server. For example, (on Red Hat): /etc/re.d/init.d/samba 
restart. 


3. Create a shell script that can read the /tmp/msg.txt file and pop the messages 
into a window in the background. The following is an example bash script: 


#!/bin/bash 


# Run this script in the background to display a message window where 
# WinPopup messages are displayed in sequence. Samba must be started 
# and smb.conf must be configured to append messages to /tmp/msg.txt 


# remove old messages 
rm /tmp/msg.txt 

touch /tmp/msg.txt 
chmod 666 /tmp/msg.txt 


rxvt -fb -sb -fn lucidasanstypewriter-bold-14 -sl 2048 -bg red -fg 
white -title SMB Network Messages -geometry 80x10+150+280 -e tail -f 
/tmp/msg.txt 


Note: This script creates an rxvt window. If you do not have rxvt installed or 
would rather use an xterm window, substitute xterm instead. 


4. Save the script as tailmsg.sh and be sure to make this an executable file. 
5. Run this file in the background: ./tailmsg.sh &. 


Enable the support on iSeries NetServer 


By default, the automatic messaging support is disabled. To enable this function in 
V5R2, the Message logging severity for the QZLSSERVER job must be changed 
from the default value of 0. Since the value must be set when iSeries NetServer 
starts, change the job description for the iSeries NetServer job (typically, this value 
is changed to 20): 


CHGJOBD JOBD(QZLSSERVER) LOG(4 20 *NOLIST) 
When iSeries NetServer is restarted, the predefined conditions can then be detected 


and iSeries NetServer can attempt to send a network message to the user who is 
attempting to connect. iSeries NetServer attempts to send the message only if the 
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severity of the associated iSeries message description is greater than or equal to the 
non-zero Message logging severity of the QZLSSERVER job. See the next section 
for the new messages added. 


New associated iSeries messages 


The new iSeries messages added to accommodate this support include the 
following list. These messages are not issued on the iSeries server. Only the text of 
the messages is used (with replacement) to send as a network message to the client 
user attempting to connect. 


* CPIB68A 
CPIB68A: No user profile found for user &1. 
° CPIB68B 
CPIB68B: The profile for user &1 is disabled. 
¢ CPIB68C 
CPIB68C: The password for user &1 is expired. 
¢ CPIB68D 
CPIB68D: No password exists for user &1. 
° CPIB68E 
CPIB68E: User &1 is disabled for iSeries NetServer access. 
¢ CPIB68F 
CPIB68F: User &1 was enabled for iSeries NetServer access. 
* CPIB690 
CPIB690: Password for user &1 will expire in &2 day(s). 
¢ CPIB691 
CPIB691: User &1 has successfully connected. 
* CPIB692 


CPIB692: User &1 encountered Kerberos error &2 connecting through iSeries 
NetServer. 


Note: You must set the Message logging severity value, QZLSSERVER, to 10 in 
order to send the CPIB691 welcome message each time a user connects. 
Otherwise, the value of 20 to ignores this message. The value of 30 disables 
information messages CPIB68F, CPIB690, and CPIB691. 


Display a log of the message send attempts 


At your own risk, you may use the iSeries NetServer maintenance program to 
display a log of network messages that the server attempted to send. The log 
contains a maximum of the last 500 messages, by default. These messages are 
purged when the log is dumped. You can only see the network messages logged 
since the last time that they were dumped. 


To call the maintenance utility, use the following command. 
CALL PGM(QZLSMAINT) PARM(’32’) 


The log is dumped into a spool file in the QSECOFR output queue. Use the Work 
with Spooled Files (WRKSPLF QSECOFR) command to display the queue. 


Example: Spool file dump of logged messages: 
TIME NAME IP-ADDR TYPE RC MESSAGE 


1/23/02 17:39:55 SMBTEST1 CQ050939 2 @ CPIB68B: THE PROFILE FOR USER 
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SMBTEST1 IS DISABLED. 


1/23/02 17:40:16 JOE1 C005095D 7 @ CPIB690: PASSWORD FOR USER JOE1 
WILL EXPIRE IN 3 DAY(S). 


Note: If the RC column is not 0, then there was either an error delivering the 
message to the user or the client’s messaging service reported an error 
condition. 


Send custom messages through iSeries NetServer 


If you have built the GO NETS tools for iSeries NetServer using the QUSRTOOL 
library support, then you can use the Send NetServer Message (GNDNSVMSG) 
command to send custom messages to registered users on the network. The 
command is available through option 14 on the GO NETS menu, and it functions 
like the NET SEND command on Windows. 


Example: Send Windows message to user name JOE1 on the network and to user 
KRISTY specifically on the client machine WORKSTATION1: 


SNDNSVMSG MSG('Reminder: Memo is due today.') TONETID((JOE1) (KRISTY 
WORKSTATION1) ) 


Since a workstation name is not provided for the first user, the message is sent to 
the PC that holds the NetBIOS name. Normally, when a Windows NT, 2000, or XP 
workstation is started, the workstation registers its NetBIOS name on the local 
subnet and with WINS (when WINS is configured). 


When a user logs on, then the user’s name is also registered with the messenger 
service. To see which names are registered with the messenger service, specify 
NBTSTAT -a workstation from a command prompt. The following example output 
shows four registered message names on workstation HORSE: 


NetBIOS Remote Machine Name Table 


Name Type Status 
HORSE <Q0> UNIQUE Registered 
DEPT8 <Q0> GROUP Registered 
HORSE <20> UNIQUE Registered 
DEPT8 <1E> GROUP Registered 
HORSE-AFS <20> UNIQUE Registered 
HORSE <Q3> UNIQUE Registered 
HORSE$ <03> UNIQUE Registered 
MANNY <03> UNIQUE Registered 


Example: Send Windows message to all users with active session connections to 
iSeries NetServer: 


SNDNSVMSG MSG('&1l, the Hawthorne server will be taken down for a disk 

replacement at 1pm') TONETID((*ALLNSVCNN) ) 

The &1 can be used to indicate the user name for replacement text in the message. 
Example: Send Windows message to all users who have made a connection in the 
past to iSeries NetServer (since it was restarted): SNDNSVMSG MSG('Good morning, 
dedicated users!') TONETID((*ALLUSERS) ) 


Messages cannot be longer than 126 character. 
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Chapter 11. Tips and techniques 


You can use the following iSeries NetServer Tips and Techniques to solve problems 
or to make iSeries NetServer work more efficiently for you: 


“iSeries NetServer does not appear in Windows Network Neighborhood” 


“Series NetServer fails to start” 


“Start iSeries NetServer at IPL” on page 64 


“iSeries NetServer security: Guest versus non-Guest” on page 64 


iSeries NetServer does not appear in Windows Network Neighborhood 


iSeries NetServer takes advantage of the Microsoft proprietary browsing protocol 
which allows it to appear in Windows Network Neighborhood. The Browsing 
protocol results in a separate list of computers for each protocol on each adapter. 
As a result, and because iSeries NetServer does not support NetBIOS, the 
transferring of these lists may result in the loss of non-NetBIOS supporting 
computers from the list. 


It is a good idea to make all the computers in the same subnet members of the 
same domain (workgroup). This ensures that the browse announcements from 
iSeries NetServer are received by a computer capable of gathering information for 
the Windows Network Neighborhood. 


Note: If iSeries NetServer is a Logon Server, then it will be the Master Browser for 
the domain and maintain the list of computers. Again, the browse list may 
not be complete if there are servers in a different subnet and that subnet 
does not have its own Master Browser that knows to contact the Domain 
Master Browser with its list. 


iSeries NetServer may also be hidden from the network because of the browse 


announce interval setting. See|“Hide iSeries NetServer from the network” on 


for information on how to correct this problem, if this is the case. 


iSeries NetServer fails to start 


If iSeries NetServer fails to start, you may see the following message in QSYSOPR: 


Message ID. ..... : + CPIB683 Severity. ......: 40 

Message type. ....: Information 

Date sent ......: 04/01/98 Time sent ...... : 14:02:55 

Message... . : The iSeries Support for Windows Network Neighborhood 
(NetServer) was unable to start. 

Cause. .... : The required iSeries NetServer job QZLSSERVER was unable to 
start because of reason code 5. See the following reason codes and their 
meanings: 

1 - Unable to retrieve user credentials. 

2 - Unable to retrieve credentials. 

3 - Exchange user profile failed. 

4 - Unable to obtain lock for service program QZLSSRV1 in library QSYS. 
5 - Start of the NetBIOS over TCP/IP failed with return code 3420. 

6 - Start of the internal server failed with return code 3420. 

7 - Error occurred when sharing resources with the network. 
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Use the help information on this message to help you find the cause of the 
problem. 


Start iSeries NetServer at IPL 


iSeries NetServer is now automatically started and ended as a TCP server when 
the Start TCP/IP (STRTCP) or End TCP/IP (ENDTCP) commands are evoked. 
Additionally, iSeries NetServer can be started and ended as an individual TCP/IP 
server with the use of the Start TCP/IP Server (STRTCPSVR SERVER(*NETSVR)) 
and End TCP/IP Server (ENDTCPSVR SERVER(*NETSVR)) commands. 


You can specify whether the iSeries NetServer starts automatically when TCP/IP is 
started by selecting the Start when TCP/IP is started option on the iSeries NetServer 
General Next Start dialog. This value affects TCP/IP start behavior (it is not an 
iSeries NetServer property), so the changes will not take effect immediately. When 
using iSeries Navigator in iSeries Access for Windows, you can find this dialog by: 


1. In iSeries Navigator, expand Network> Servers> TCP/IP> iSeries NetServer. 
Right click on the iSeries NetServer icon 

Select Properties 

Select the General tab 

Press the Next Start button 
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QZLSSERVER job resides in the QSERVER subsystem. The Start Server 
(QZSLSTRS) and End Server (QZLSENDS) APIs still start and end the server. 
Because of this, no changes are needed in your start-up program if the QSERVER 
subsystem is started before TCP/IP is started. 


iSeries NetServer security: Guest versus non-Guest 


When using iSeries NetServer, normal iSeries user profiles and passwords apply. 
By default, only users with valid iSeries user profiles and passwords can access 
resources on the iSeries. Windows NT, 2000, and XP offer the option to select a 
different userid. If the passwords do not match, you will see a password window. 
Windows will optionally remember the password. 


An iSeries user profile is disabled from using iSeries NetServer when the user has 
tried to access iSeries NetServer a number of times with an incorrect password. An 
iSeries system value name, QMAXSIGN, specifies how many unpermitted access 
attempts disable a user profile. The Windows operating system will retry access 
when denied. So it may appear that the QMAXSIGN limit is reached before the 
number of times actually tried by the client. If the user profile does become 


disabled for iSeries NetServer, you can use one of several methods to re-enable the 
user profile. Scc(Pnable 2 disebled user preGle for more information. 

If a user profile is not found that matches the userid that is used to access iSeries 
NetServer, you may use an optionally configurable guest user profile. This guest, 
created by the iSeries administrator who has *SECADM special authority, should 
only have a password if guest print sharing is being used, and must not have any 


special authorities. The guest user profile allows iSeries file and print sharing by 
users who otherwise would not require an iSeries user profile. 


Note: The guest user profile must have a password if it is to be used for accessing 
print shares because the Network Print Server requires one. 
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Chapter 12. iSeries NetServer API guide 


You can access all of the administrative functions that are available through 
Operations Navigator by using iSeries Application Program Interfaces (APIs) . This 
means that you can administer iSeries NetServer through your CL, COBOL, 
RPGC, and C++ programs. 


Following is a list of APIs that are currently available for administering iSeries 
NetServer: 


Add File Server Share (QZLSADFS) 
Add Print Server Share (QZLSADPS) 


Change File Server Share (QZLSCHFS) 
Change Print Server Share (QZLSCHPS) 
hange Server Guest (QZLSCHSG) 
hange Server Information (QZLSSCHSI) 

* |Change Server Name (QZLSCHSN) 

nd Server (QZLSENDS) 

nd Server Session (QZLSENSS) 

ist Server Information (QZLSLSTD 

* |Open List of Server Information (QZLSOLST) 
* |Remove Server Share (QZLSRMS) 

tart Server (QZLSSTRS) 


Q 
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For additional information about administering iSeries NetServer with APIs, refer 


to |OS/400 APIs 
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Chapter 13. Backup and recovery of configuration and share 
information 


iSeries NetServer uses files in the integrated file system to store configuration 
values and share entries. You should back up these files every time that you save 
the entire iSeries system and each time you change the administration of iSeries 
NetServer. In addition, plan the frequency of your save operations carefully to 
ensure that you always have a usable backup available if your system should fail. 


The location of the iSeries NetServer configuration and share data files on the 
iSeries system is: /QIBM/UserData/OS400/NetServer. The specific files that are 
needed include: 

* Qazlscfg: Contains configuration information. 

¢ Qazlsshr: Contains share information. 


* Qazlsextxxx: Contains text conversion information for a file share, where xxx is a 
file share name. 


Note: The following directory should be backed up if iSeries NetServer is 
configured as a Logon Server: 
/QIBM/UserData/OS400/NetServer/NetLogon. 

For further information on these commands and other useful save and restore 


options, refer to|Backup, Recovery, and Availability, 
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Chapter 14. Troubleshoot iSeries NetServer 


Troubleshooting iSeries NetServer allows you to solve specific problems that are 
related to your use of iSeries NetServer. You may experience various difficulties 
when trying to locate iSeries NetServer on the iSeries network or use iSeries 
NetServer resources. These difficulties may relate to the status of iSeries NetServer 
on iSeries, the PC client connections, the user profile that you use to operate iSeries 
NetServer, or other reasons. 


The following topics provide you with information on how to troubleshoot the 
various problems you may encounter while using iSeries NetServer: 


“Troubleshoot iSeries NetServer user profile connections” 


Learn about what to do if you encounter an error code when trying to access a 
file share. 


“Troubleshoot iSeries NetServer file share directory paths” on page 70) 
Contains information about directory path problems. 


“Troubleshoot iSeries NetServer print share failures” on page 70 


Find out what to do to troubleshoot print share problems. 


“Troubleshoot print problems when using iSeries NetServer guest support” 


Contains information about guest user problems that may arise. 


“Troubleshoot PC client connection problems” on page 71 


Learn about how to troubleshoot PC connection problems. 


“Troubleshoot iSeries NetServer file share problems” on page 71 


Find out what to do to troubleshoot file share problems. 


“Troubleshoot print driver problems” on page 72 


Find out what to do if you notice unreadable text. 


“Troubleshoot iSeries NetServer using the QOSYSOPR message queue” on 


age 72 
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“Troubleshoot iSeries NetServer location on the network” on page 73 


iSeries NetServer may be difficult to find on the network. Learn about the 
troubleshooting techniques available to solve this problem. 

“Troubleshoot iSeries NetServer using Windows-style messages” on page 73 
Find out how Windows-style messages can be used to troubleshoot problems 
with iSeries NetServer. 


Troubleshoot iSeries NetServer user profile connections 


When you are trying to access a file share, an error code may appear for any of the 
following reasons: 


User profiles may not be authorized to a particular shared directory. If this 
occurs, ensure that the user can access the directory by using OS/400 CL 
commands, such as Work with Object Links (WRKLNK). 


Users may be unable to use iSeries NetServer if they attempt to connect to 
iSeries with an incorrect password too many times. If this occurs, then iSeries 
sends a message (CPIB682) to the QSYSOPR message queue. This message 
indicates that the user profile has been disabled for iSeries NetServer access. 
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This does not disable the user profile for iSeries or iSeries Access for Windows, 
but it does stop the user profile from accessing iSeries NetServer. 


Note: In V5R1 Management Central has a facility to monitor messages from 
QSYSOPR. An administrator could use this new facility to be alerted to 
profiles being disabled for iSeries NetServer use. Also, in V5R1 the 
administrator could use iSeries Navigator to periodically look at a list of 
disabled users and re-enable users from the panel. To find all disabled 
user profiles, right-click iSeries NetServer and select Disabled Profiles... 


Clients should connect to iSeries NetServer by using their valid user profiles and 
not the guest user profile. The QZLSFILE job may be in the QSERVER subsystem for 
each active client [user] that connects to an iSeries NetServer [file share]. 
However, QZLSFILE jobs can run in another subsystem if the user has 
configured other subsystems to run iSeries NetServer jobs. 


Active print users will have a job in QUSRWRK that connects to iSeries 
NetServer. A message in the job log indicates to which user the QZLSFILE job 
belongs. It also contains the client name and the client IP address. Also, using 
iSeries Navigator under Work Management > Server Jobs you can find 
QZLSFILE jobs and get properties to see which user is running in the job and the 
IP address of the client. 


Troubleshoot iSeries NetServer file share directory paths 


You may experience errors when accessing an iSeries NetServer file share if the 
directory path you have specified does not exist in the iSeries integrated file 
system. 


If you have specified a directory path for a file share, but the directory path does 
not exist on your iSeries server, then clients will experience an error. The directory 
path that you specify on the File Share General-Properties dialog must exist on 
the iSeries server for clients to avoid an error. 


Troubleshoot iSeries NetServer print share failures 


You may experience trouble when using an iSeries NetServer network printer 
online for any of the following reasons: 


The network printer may not work online because the user does not have 
authorization to the iSeries output queue. If this occurs, you should ensure that 
the user can access the object queue by using OS/400 CL commands, such as the 
Edit Object Authority (EDTOBJAUT) command. 


You may experience difficulty with spooling print jobs to an iSeries output 
queue when using an iSeries NetServer print share. In order for iSeries 
NetServer print shares to function properly, the Network Print Server (NPS) 
must be up and running. If you do not start NPS, then iSeries NetServer print 
shares will not function. 


Clients should connect to iSeries NetServer by using their valid user profiles and 
not the guest user profile. There is one QNPSERVS job entry in the QUSRWRK 
subsystem for each active client that connects to an iSeries NetServer print share. 
The QNPSERVS job starts when a client connects to a shared print resource. 

The guest user profile must have a password and be enabled. 


A maximum of 350 spooled files will be displayed in a network printer window. 
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Troubleshoot print problems when using iSeries NetServer guest 
support 


When you use the iSeries NetServer guest support to access iSeries output queues, 
you may experience trouble when trying to access the server. In addition, your 
specified printer may not go online. If this is the case, you must add a password to 
the iSeries NetServer guest user profile, SMBGUEST, for example. You must also 
ensure that you enable the user profile. The Network Print Server (NPS) requires a 
password for authentication although it will not prompt the user to enter a 
password. 


The addition of a password in the SMBGUEST user profile does not affect users 
who access iSeries NetServer file and print shares. When a user requires guest 
support for file and print services, iSeries NetServer does not prompt the user for 
the SMBGUEST password. Because the SMBGUEST user profile has a password 
and is enabled, set the initial menu parameter to *SIGNOFEF, INLMNU(*SIGNOFF), 
to deny signon access. 


Troubleshoot PC client connection problems 


You can test whether your connection method to iSeries NetServer (for example, 
DNS) is up and running if you experience connection problems. To do so, follow 
these steps: 


1. Open a DOS window from your PC client. 


2. Enter the PING command to test your client connection to iSeries. For example, 
you could PING iSeries NetServer by entering this command: 


ping QSYSTEM1 


Note: QSYSTEM1 is the server name of iSeries NetServer on iSeries. 


If you get a positive return value, then the client connection to iSeries NetServer is 
operating normally. This means that the method the client uses to connect to 
iSeries NetServer and iSeries is up and running. 


Tip: 


Run nbtstat -A ip-address-of-server from a command prompt on the client to 
check connectivity: C: \WINDOWS+>nbtstat -a qnetserver. Using nbtstat can also be 
helpful with connectivity information in case the name of the server is unknown or 
cannot be resolved. 


Another way to check client connectivity to iSeries is to make sure that all actively 
connected clients have a QZLSFILE job entry in the QSERVER subsystem. This job 
may be running in another subsystem if you have configured iSeries NetServer 
jobs to run in other subsystems. The QZLSFILE job starts when a client connects to a 
shared file resource. 


Troubleshoot iSeries NetServer file share problems 


If you experience problems with iSeries NetServer file share readiness on iSeries, 

then you should check the status of iSeries NetServer on iSeries. To do so, follow 

these steps: 

1. Verify that iSeries has started the QSERVER subsystem. If iSeries has not already 
started the QSERVER subsystem, then start it by using the Start Subsystem 
(STRSBS) CL command. 
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2. Verify that iSeries has started the QZLSSERVER job within QSERVER. If iSeries has 
not already started the QZLSSERVER job, then start it by using the STRTCPSVR 
*NETSVR CL command. 


3. Verify that the QZLSFILE prestarted job is waiting for a program start request 
(PSRW status on the Work with Active Jobs screen). If the QZLSFILE prestarted 
job is not waiting for a program start request, then use the Start Prestart Jobs 
(STRPJ) CL command. This starts the prestarted job. 


Note: iSeries NetServer should automatically start a QZLSFILE job on iSeries 
when a client accesses a file share for the first time. Each QZLSFILE job 
supports one client and all of the file shares that are accessed by that 
Windows client when using iSeries NetServer. However, Linux connects 
to separate QZLSFILE jobs for each mount of an iSeries NetServer share. 

4. Add the QZLSFILE prestarted job to the QSERVER subsystem description (or a 
different subsystem description if you have configured others) if it is not 
already present. You can use the Add Prestarted Job Entry (ADDPJE) CL 
command to add the prestarted job entry. 


Troubleshoot print driver problems 


You may notice unreadable printed text when using the Advanced Function 
Printing (AFP) print drivers that you download from the IBM Printing Systems 
Company web site. The unreadable text occurs because the AFP print driver 
substitutes fonts when using information that is directly embedded into the print 
stream of your print job. There are two options available for you to solve the 
problem: 


1. Turn off Font Substitution and turn on Create Inline Form Definition in the 
printer properties on your PC. 


2. Install License Program AFP Fonts 5769FN1 and AFP DBCS Fonts 5769FNT on 
your iSeries. 


For more information about installing License Programs, see the 


fnstalation| book, > 


Troubleshoot iSeries NetServer using the QSYSOPR message queue 


The system operator’s message queue, QSYSOPR, is a good place to look for 
information about iSeries NetServer. Messages are logged to the QSYSOPR 
message queue each time that iSeries NetServer starts and stops and when there 
are any specific errors to report. 


The first message indicates whether iSeries NetServer initialized completely during 
startup. This message is important because it not only specifies whether iSeries 


NetServer started properly, but it also lists the iSeries NetServer server name. 


If iSeries NetServer fails to start successfully, the QSYSOPR message queue logs an 
error message that indicates the reason for the failure. 


Using Display Log (DSPLOG) to find iSeries NetServer 


The Display Log (DSPLOG) CL command with parameter MSGID(CPIB680) 
displays a message that indicates when iSeries NetServer started. The message also 
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specifies the iSeries NetServer server name. You may need to adjust the beginning 
date of the search by using the PERIOD parameter. The message should read as 
follows: 


iSeries Support for Windows Network Neighborhood (iSeries NetServer) 
SERVER_NAME Initialization Complete 


Troubleshoot iSeries NetServer location on the network 


If you experience problems when trying to find iSeries NetServer on the network, 
you can take several steps to resolve the problems: 


1. Ping the iSeries NetServer server name. Pinging the iSeries NetServer server 
name reloads the iSeries NetServer IP address into the PC client cache file. 


2. Verify that you are using the correct system name for iSeries NetServer. The 
QSYSOPR message queue specifies the correct iSeries NetServer server name. 


3. Verify that you have configured your PC client to properly resolve the iSeries 
NetServer server name to an Internet Protocol (IP) address. Configure your PC 
client to resolve the iSeries NetServer server name to an IP address in one of 
the following ways: 


* Map the iSeries NetServer server name to its IP address by using the Domain 
Name System (DNS). 

* Map the iSeries NetServer server name to its IP address by using the 
Windows Internet Naming Service (WINS). 


* Map the iSeries NetServer server name to its IP address by adding an entry 
to the LMHOSTS file. 


Troubleshoot iSeries NetServer using Windows-style messages 


A user trying to connect to a share through iSeries NetServer may be denied access 
for variety of reasons, including: 


* A password mismatch 

* Not enough authority to the underlying file system object 
* The user profile does not exist 

* The user profile is disabled 

* The user is disabled for iSeries NetServer access 

* The password is expired 

* The user profile does not have a password 

* There was a Kerberos authentication failure 


In each of the previous situations, the client typically does not report a meaningful 
error message to help distinguish the problem. In V5R2, support has been added to 
iSeries NetServer to allow Windows-style informational messages to be sent over 
the network to client users on Windows NT, 2000, and XP, as well as Linux 
operating systems. This can greatly improve problem determination for user profile 
connectivity issues. 


For more detailed information using these messages, see [Chapter 10, “Use 


indows-style messages with iSeries NetServer” on page 59 
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Printed in U.S.A. 


